Security Engineering of Patient-Centered Health Care ...

Review

Security Engineering of Patient-Centered Health Care InformationSystems in Peer-to-Peer Environments: Systematic Review

Imrana Abdullahi Yari1, MSc; Tobias Dehling2,3, PhD; Felix Kluge1, PhD; Juergen Geck4, MSc; Ali Sunyaev2,3, PhD;

Bjoern Eskofier1, PhD1Department of Artificial Intelligence in Biomedical Engineering, Machine Learning and Data Analytics Lab, Friedrich-Alexander UniversityErlangen-Nuremberg, Erlangen, Germany2Institute of Applied Informatics and Formal Description Methods, Karlsruhe Institute of Technology, Karlsruhe, Germany3KASTEL Security Research Labs, Karlsruhe, Germany4REFINIO GmbH, Rohr, Germany

Corresponding Author:Imrana Abdullahi Yari, MScDepartment of Artificial Intelligence in Biomedical Engineering, Machine Learning and Data Analytics LabFriedrich-Alexander University Erlangen-NurembergCarl-Thiersch-Straße 2bErlangen, 91052GermanyPhone: 49 9131 85 20288Email: [email protected]

Abstract

Background: Patient-centered health care information systems (PHSs) enable patients to take control and become knowledgeableabout their own health, preferably in a secure environment. Current and emerging PHSs use either a centralized database,peer-to-peer (P2P) technology, or distributed ledger technology for PHS deployment. The evolving COVID-19 decentralizedBluetooth-based tracing systems are examples of disease-centric P2P PHSs. Although using P2P technology for the provision ofPHSs can be flexible, scalable, resilient to a single point of failure, and inexpensive for patients, the use of health information onP2P networks poses major security issues as users must manage information security largely by themselves.

Objective: This study aims to identify the inherent security issues for PHS deployment in P2P networks and how they can beovercome. In addition, this study reviews different P2P architectures and proposes a suitable architecture for P2P PHS deployment.

Methods: A systematic literature review was conducted following PRISMA (Preferred Reporting Items for Systematic Reviewsand Meta-Analyses) reporting guidelines. Thematic analysis was used for data analysis. We searched the following databases:IEEE Digital Library, PubMed, Science Direct, ACM Digital Library, Scopus, and Semantic Scholar. The search was conductedon articles published between 2008 and 2020. The Common Vulnerability Scoring System was used as a guide for rating securityissues.

Results: Our findings are consolidated into 8 key security issues associated with PHS implementation and deployment on P2Pnetworks and 7 factors promoting them. Moreover, we propose a suitable architecture for P2P PHSs and guidelines for theprovision of PHSs while maintaining information security.

Conclusions: Despite the clear advantages of P2P PHSs, the absence of centralized controls and inconsistent views of thenetwork on some P2P systems have profound adverse impacts in terms of security. The security issues identified in this studyneed to be addressed to increase patients’ intention to use PHSs on P2P networks by making them safe to use.

(J Med Internet Res 2021;23(11):e24460) doi: 10.2196/24460

KEYWORDS

patient-centered; health care; information infrastructures; decentralization; mobile health; peer-to-peer; COVID-19 proximitytrackers; edge computing; security; vulnerabilities; attacks; threats; mobile phone

J Med Internet Res 2021 | vol. 23 | iss. 11 | e24460 | p. 1https://www.jmir.org/2021/11/e24460(page number not for citation purposes)

Abdullahi Yari et alJOURNAL OF MEDICAL INTERNET RESEARCH

XSL•FORenderX

mailto:[email protected]

http://dx.doi.org/10.2196/24460

http://www.w3.org/Style/XSL

http://www.renderx.com/

Introduction

MotivationPatients require access to their health information with the sameease as with other web-based activities such as banking orshopping; however, patients are often only one part of thecurrent health care processes and not the focus of attention [1].Such limitations of traditional health care processes, widespreadindividual adoption of digital systems, and advancements inhealth care practice create a growing demand forpatient-centered health care information systems (PHSs). PHSsare scalable information systems that leverage informationtechnology to support patients in managing and taking an activerole in their own health [1,2]. PHSs are not designed to replacetraditional health care information systems, such as electronichealth records, but rather to complement them [3] by offeringadditional functionalities, such as translation of clinicalinformation into layman’s terms [4], provision of informationon medications a patient is taking [2,5], or provision of vettedinformation to support self-administered interventions (eg,reduce weight or quit smoking) [4].

The diversity and flexibility of PHSs enable them to provideany functionality that patients find helpful [2], includingmaintaining personal health records (PHRs) [6], tracking mentalwellness [7], subscribing to risk prediction services for chronicdiseases [6,8], and calculating pregnancy due dates [9]. Patientsare willing to use PHSs, as revealed in a survey of 800 Americanpatients in which 80% of the patients preferred a patient-centeredapproach as they felt excluded in the management of their data[10]. With PHSs, patients can access their health informationand share it with other stakeholders to co-ordinate their care[1]. Practitioners can make better clinical decisions based oninstantaneous access to data in PHSs [11]. In patient-centeredhealth care environments, the value for patients is increased,health care transaction costs are decreased, patients manageinteractions through the appropriate release of their own data,and all health care stakeholders will be encouraged to collaboratewith patients and other stakeholders to achieve their goals [1].

Technically, PHSs can be deployed using centralized databases(eg, Health Bank [12], Microsoft HealthVault [3], and PittPHR[13]), distributed ledger technology (DLT; eg, Mint Health [14]and Medicalchain [11]), and more flexible peer-to-peer (P2P)technology (eg, OnePatient [15] and doc.ai [7]).

The detrimental effects of centralized health informationtechnology solutions controlled by economic actors arewell-known [16], for example, reluctance to innovate or thecreation of data silos [16]. DLT-based PHSs, such as MedRec,which is under development at the Massachusetts Institute ofTechnology [17], are currently spurring the P2P anddecentralization push in the health care domain. However, DLTis a specialized P2P technology that does not align well withthe needs of the health care sector and the sensitivity of healthinformation. For instance, DLT systems consume excessivecomputation and communication resources by requiringredundant computations to ensure a consistent state of the ledgeracross the network, which makes the logged transactionsavailable to all nodes participating in the network, and they

have slow processing speeds because multiple parties have toindependently verify transactions and arrive at an agreement[18]. The mismatch between DLT and the needs of the healthcare sector has a simple cause: DLT was primarily designed asa backbone for cryptocurrencies that require one globalconsistent record of transactions and can thrive even inenvironments where trusted counterparties do not exist andmight even be malicious [19]. Accordingly, DLT is a P2Ptechnology that is too rigid for the health care context, whereit is sufficient for all parties involved in the care of a patient tohave a consistent view of a patient’s health status and existingtrust relationships between parties (eg, the patient-physicianrelationship) can be leveraged. In this study, we take aninformation security perspective and contribute to the emergenceof PHSs that come with the benefits promised by DLT PHSs,such as decentralization, patient empowerment, andinteroperable health systems [18], but are implemented basedon less rigid and more flexible P2P technology. We refer tosuch systems as P2P PHSs.

P2P PHS architectures can be based on hybrid P2P networks(eg, P2HR [20]), approaches that combine centralized and P2Parchitectures (eg, P2P PHR [6] or the e-toile framework inSwitzerland [21]), and highly decentralized networks (eg,P2P-integrating health care enterprise [P2P IHE; 22]). Otherexamples of P2P PHSs, which are disease-centric, aredecentralized systems for Bluetooth-based SARS-CoV-2 (orCOVID-19) contact tracing, for example, Pan-EuropeanPrivacy-Preserving-Proximity-Tracing (PEPP-PT) in Europe[22], Trace-Together in Singapore [23], and Stoop in Austria[24], which are used to notify people when they are nearSARS-CoV-2 carriers.

In P2P PHSs, the trust and identity of individual participantsdo not need to be assured through technology. P2P PHSs providePHS functionalities locally (on any patient edge device such asmobile phones, tablets, etc) under the sovereignty of individualdevice owners. Patients can make their health informationdirectly available to other participants they trust without theneed for any centralized or distributed nodes to facilitate thetransactions. However, P2P PHSs have unique security issuesbecause patients must manage information security for theirhealth information largely by themselves, and even qualifiedprofessional administrators are already challenged by the task[25]. The absence of a central entity to act as a trusted computingbase on P2P networks [25,26] has profound adverseconsequences in terms of security that need to be addressed toreap the benefits that P2P PHSs promise to offer.

ObjectivesP2P PHSs raise challenging information security–relatedquestions: How can reliable data backups be implemented? Ifcredentials are lost or compromised, how can they be replacedor blocked? How well is the system protected againstunauthorized access? P2P PHSs that are not DLT-based (eg,OnePatient [15] and P2P PHR [6]) are an emerging phenomenonthat will become more relevant in the future as they are alignedwell with large-scale efforts to re-decentralize the internet (eg,the Solid project by Tim Berners-Lee [27]) and support patientsin taking ownership of their health data [1,10]. Although P2P



XSL•FORenderX



PHSs have been under development for over a decade [21], thededicated literature on P2P PHSs is sparse. To date, previousstudies have focused on security, privacy, and end-user featureson centralized and DLT-based PHSs [2,28-31] and did notaddress security engineering specifically for P2P PHSs, whichcomes with its own challenges due to a different underlyingarchitecture. To address this gap, this study focuses on securityengineering for P2P PHSs based on a systematic literaturereview. We aim to answer the following research question:

Research question: What are the inherent security issues forPHS deployment on P2P networks and how can they beovercome?

Security issues are defined as any action that could be used todisrupt the functionality of the P2P network or enableunauthorized users to access, modify, or delete user data [32,33],specifically, due to threats or vulnerabilities, such as malware,bugs, access control failures, or patients' inadvertent exposureof their data. To answer the research question, we aim to reviewexisting P2P and P2P PHS architectures and their designchoices, study existing PHS features, and propose a suitablearchitecture for PHS deployment on P2P networks. Thereafter,we aim to highlight the causes and consequences of existingsecurity issues in P2P PHSs and evaluate them based on theidentified P2P PHSs in the literature. On the basis of these P2PPHS architectures, we propose security measures for secureprovision. To overcome the challenges on the path to P2P PHSs,secure safeguards must be put in place to ensure that informationis securely transmitted and protected against cyberattacks [1,34].Information security is essential for P2P PHSs and will, ifappropriately implemented and addressed, increase patients'intention to use P2P PHSs [2,30].

Theoretical Background

P2P PHSs and the Need for Information SecurityP2P technology for the provision of PHSs can be flexible andinexpensive for users because it uses available devices at theuser’s end for deployment. The characteristics of P2P systems,such as fault tolerance, security and trust, scalability,availability, self-reconfiguration, and extensibility [35,36],

facilitate and suit the provision of PHSs. With millions of usersworldwide, P2P systems have shown strength in providingservices for sharing resources without the need for a centralserver, for streaming multimedia content with distributed loadbalancing, for volunteering of computing resources, and fortelephony applications. P2P PHSs, such as OnePatient [15] andP2P PHR [6], leverage the power of P2P networks and mobiletechnology to store health records locally under the control ofdevice owners, thereby increasing patient empowerment andcontrol and simplifying the implementation of data protectionprinciples [8,37,38]. P2P systems have better scalability becauseoperations can be executed locally and customized for differentpurposes. Patients can easily manage access to their healthrecords by using a single-hop connection (eg, Wi-Fi Direct)with other trusted parties (eg, a physician) without requiring awireless access point or another intermediary communicationnetwork.

Factors that impact the security of centralized PHSs are thedatabase size, the large number of potentially affected users,and the confidentiality of the stored data. The health care sectorexperiences more data breaches than any other sector [39]. Abreach barometer in the United States reported 503 breachesfor health data in 2018, affecting over 15 million patients [40].Similarly, the almost immutable nature of data storage inblockchains makes it nearly impossible for users to erase theirstored (metadata) information, which conflicts with theEuropean General Data Protection Regulation (GDPR) [41].Table 1 outlines the main advantages and disadvantages of P2PPHSs.

For patients to benefit from the advantages of P2P PHSs, thenetwork needs to be robust and fault-tolerant. Informationsecurity is paramount because of the high sensitivity of medicaldata [30,42]. Therefore, a pertinent question is how to makeP2P PHSs resilient to attacks. P2P systems communicate overthe internet; therefore, they inherit the same security issues asany other networked application on the internet. The P2Parchitecture poses significant security issues such as indexpoisoning attacks [43], Sybil attacks [44], chatty peer attacks[45], or distributed denial-of-service (DDoS) attacks [46].

Table 1. Security advantages and disadvantages of peer-to-peer patient-centered health care information systems (P2P PHSs).

DisadvantagesAdvantagesDimension

Inconsistent views in the network allow attackers (and superusers) to cheat and remain undetected.

Patients technically govern data. Patients can define accessrights to their own PHSs.

Privacy management

Patients may lose access when the device is lost, and nobackup system is used by the patient.

Patients keep their medical data and software on their owndevices. Patients can determine the desired redundancy fortheir data by backing up at their end.

Federated medical data

Specific security issues other than general networked applica-tion attacks are introduced and slow deployment of securitypatches by users results in insecure P2P systems.

No central attack profiles.Security

Maintenance effort for storing large amounts of data offlinecan be high.

Data are available without a network connection, whichimproves infrastructure resilience. Disrupted internet con-nections will not stop data access.

Offline capability

Increased access control requirements for patients are hard tosatisfy with current health care processes and systems due tobureaucracy and diverse levels of digitalization.

All health care stakeholders requiring access to patient datahave to interact with patients to achieve their goals.

Stakeholder interactionmanagement



XSL•FORenderX



Moreover, P2P systems increase the attack surface owing to 3disadvantages [26,47]: (1) increased chances of exposingnetwork traffic patterns to attackers; even with encryption, themetadata can still reveal information to external attackers; (2)an inconsistent view of the network (due to a lack of globalinformation), which affects integrity by allowing attackers tocheat and remain undetected; and (3) increased vulnerability tointernal attackers due to the absence of a central entity to detectmalicious insiders and govern software and security updates.

P2P and PHS Networks

OriginsThe concept of P2P was introduced in 1969 in the first Requestfor Comments of the Internet Engineering Task Force; Requestfor Comments-1 denotes a host-to-host connection [48]. UseNet[49], a distributed messaging system, is often described as thefirst true implementation of a P2P network and was established

in 1979. UseNet looks like a client server model from users'point of view. However, servers communicate with each otherbased on the concept of P2P and share content over the entiregroup of UseNet servers without a central entity. With the surgein popularity of P2P networks, the music and file-sharing P2Papplication Napster [50] was introduced in 1999, whichexhibited some approaches to P2P networks known today. Later,well-known and popular P2P systems emerged, such as Gnutella,eDonkey, and BitTorrent. Within the last 2 decades, the firsthealth information systems were deployed on P2P networks—forexample, the e-toile P2P PHS framework aimed at connectingall health care stakeholders in Geneva, Switzerland [21,51];P2HR [20]; or the PEPP-PT COVID-19 contact tracing systemin Europe [22]. The features distinguishing P2P systems fromcentralized systems are peer and resource discovery [35]. Sincethere are no servers, peers (eg, patients, practitioners, or PHSproviders) must rely on techniques, such as indexing and routingtables [52], to locate other peers in the network (Figure 1).

Figure 1. Peer-to-peer (P2P) architectures. Some P2P systems are supported by centralized servers, other P2P systems attempt to decentralize as faras possible. Between these two extremes, hybrid systems benefit from the properties of both.

A P2P network, or system, is a type of computer network thatexhibits decentralized control, autonomy, virtualization, andsharing of computing resources [47,50]. Peers participating inthe network form a P2P network of nodes and are equallyprivileged. The network is self-organizing. Peers in the networkmake their resources directly available to other peers withoutthe need for a central entity to facilitate or co-ordinatetransactions [35]—for example, patients can directly exchangeinformation with practitioners over their P2P PHSs. Peers in aP2P network can share and download resources. This is in directcontrast to traditional client-server networks in whichresource-sharing and downloading are performed by distinctactors (eg, in PHRs such as Google Health or Microsoft HealthVault).

CentralizedCentralized P2P PHS (eg, P2P PHR [6] and e-toile framework[21]), and other centralized P2P systems (Napster, SETI@Home,

and BOINC [35,50]) combine the features from client-serverand decentralized architectures. One or more central servers areused to manage administration, transaction, registration, orresource discovery. To abide by data protection regulations,such as the US Federal Health Insurance Portability andAccountability Act (HIPAA) [6] or the GDPR [34,41], andrelated regulations, health or personal information should bestored separately from centrally managed operational data (eg,status and metadata of transactions as in P2P PHR [6] or thelist of interoperable PHS providers and health care professionalsand their access rights in the e-toile framework [21]). In thecase of contact tracing systems such as PEPP-PT COVID-19[22], the central server may be operated by a government ortrusted entity to generate identities and contact graphs. Incentralized P2P PHSs, the resources are indexed by the centralserver (Figure 2). Although a client-server approach is used forresource discovery, the actual communication that facilitatesresource transmission is decentralized [53].



XSL•FORenderX



Figure 2. The centralized peer-to-peer (P2P) system. A peer E sends a message to the central server asking for the desired resource, the server runs alookup and determines the peers that contain the queried resource and then sends back the result to the requesting peer E. Once peer E obtained the list(which consists of peer A and peer F), it establishes a direct connection to the peers.

In centralized P2P PHSs, data protection and security measuresbased on regulations such as HIPAA [6] or GDPR [41] can beenforced and implemented but PHSs may inherit issues fromcentralized systems [35], such as vulnerability to insider attacksand function creep by the entity running the server; reducedtolerance to avoid single points of failure; and issues withscalability and robustness. Central servers also become morelikely to cause a bottleneck when the number of peers increases.

DecentralizedIn decentralized P2P systems, peers have equal rights andresponsibilities [35,54]. This can be seen in agent-basedco-ordination frameworks proposed for the exchange ofelectronic health records between different providers (eg, P2PIHE [6,51]) or other P2P systems (eg, BitTorrent, Gnutella,Freenet, Chord, and PAST [35,50]). Each peer shares data thatmay only be relevant to queries of other peers. A decentralizedP2P design is a user-based infrastructure because it requires nospecific additional infrastructure and depends solely on theparticipating users to share resources (bandwidth and storage)[26]. In a decentralized P2P system architecture, 2 furtherdimensions are important [35]: the network structure and logicalnetwork topology (overlay network).

The network structure of a P2P network can be single-tier ormultitier. In a single-tier network (eg, Gnutella, Freenet, andPAST [35,50]), loads and functionalities are equally distributedamong the nodes participating in the network. In contrast, themultitier network has a routing structure with hierarchical layers.An example of a P2P protocol in this category includes theSuper-peer Architecture and Crescendo System [35].

The logical network topology can be structured or unstructured.In unstructured P2P networks (eg, FreeNet, Gnutella, andKaZaA [50]), which exhibit a mesh topology [26], each peermaintains the list of its neighbors to which it may forwardqueries. Hence, in most cases, a peer must search a large fractionof the network when looking for a desired resource in thenetwork, as there is no precise mapping between the identifiersof resources and peers [55]. Messages are continuouslypropagated by neighbors in the network [26], which affects thereliability of message delivery when the network is congested.This type of P2P system can be unsuitable for PHS deployment,especially in emergency situations where a patient’s medicalhistory (located with another remote peer) is urgently neededfor medical care.

To address these problems, structured P2P PHSs such as P2PIHE [51] and other structured P2P systems (eg, Chord,Kademlia, Pastry, and CAN [35]) have emerged. In structuredP2P systems, a mapping between peers and data exists, dataplacement is under the control of Distributed Hash Tables(DHTs), and each peer has to maintain routing tables. A DHTis a hash table containing a key-value lookup function, and theentire index is equally distributed among participating peers[55]. The key-value store represents only the metadata of theparticipating peers, for example, the mapping (id, ptr) indicatesthat a resource with identifier id is located at a peer pointed toby ptr. The general idea of structured P2P networks is tominimize the number of peer lookups (eg, by adopting akey-based routing strategy) to identify and locate a desiredresource in the network [35]. The cost of maintaining thestructured topology is high when participants arbitrarily joinand leave the network.



XSL•FORenderX



The overall issue of decentralized P2P systems is the slow searchfor peers offering the desired resources in the network [35], andfreedom to join or leave the network affects availability [20,56].However, these systems do not have single points of failure andbenefit from other features, such as scalability and robustnessto operational errors. The lack of centralized control is a majorfactor contributing to routing difficulties: routing becomes morecomplicated with more diverse participating nodes [57], whenmassive peer churn is present [58] and when there is adependence on nodes that could be malicious [59]. To remedythis, a shared memory in a distributed tuple space architecture[60], as used in the P2P PHS agent-based co-ordinationframework P2P IHE [51], can be leveraged. In such anarchitecture, a distributed network of tuple centers is used as aco-ordination framework to facilitate interactions betweenvarious PHS providers and other health care stakeholders [51].

HybridP2HR [20] is an example of a hybrid P2P PHS. Other P2Psystems (eg, BestPeer [35], BestPeer++ [61], or BitTorrent[62]) eventually relied on this topology. Hybrid P2Parchitectures were introduced to address the challenges ofcentralized servers in P2P networks and the time required forresource discovery in decentralized P2P networks [35,54]. Theycombine the advantages of both architectures [50], such asreliable resource discovery and scalability. Although there areno servers in hybrid P2P systems, peer nodes that have moreresources in terms of storage, computation power, networkconnectivity, stability, and uptime can fulfill the role of serversand assist common peers with resource discovery. These nodesare referred to as super peers. In hybrid P2P systems, resourcediscovery can be performed by querying the super peer (in acentralized manner) or using decentralized search techniques[63]. Common peers form the lower layer, while super peersform the upper layer.

Although super peers share some similar properties with serversin a centralized P2P network, they are different [35]: (1) a superpeer only acts as a manager for its subset of peers in thenetwork—it is not as powerful as a server in centralized P2Pnetworks that oversees the entire network. For PHSs, dividingpatients into groups (eg, per hospital) ensures that patients’dataare only shared with users that require them [64]; (2) a superpeer also participates and acts as a common peer and facilitatesthe same operations, such as resource-sharing and downloading.As an analogy, the relationship of super peers with common

peers is similar to interactions between entities in human society:for instance, in a hospital, physicians keep more knowledge andconnections with their patients than other personnel. As such,patients with health issues are expected to ask for help fromphysicians, as there is a higher probability that they are able tohandle the problem.

Super peers can act as federated authorities wherebyparticipating users can affiliate themselves with provider nodesbased on extant trust relationships (eg, friendship or treatmentrelationships). Provider nodes are largely independent of eachother; hence, there is a federation of provider nodes. Eachprovider is responsible for its common peers; however,individual provider nodes can collaborate to provide services.The placement of super peers in a privileged position enhancesthe availability of resources, operations, computations, andperformance; however, this also raises issues regarding trust,privacy, and integrity as super peers regulate services. Theabsence of a super peer in the network may affect operationsin the network, thereby reducing the fault tolerance of the P2Pnetwork. In terms of security, nodes operated by providers arecentral points of attack (at least for the common peers servedby a particular super peer). As super peers manage subsets ofpeers in the network, they are more attractive targets for attacks.“The main vulnerability of federated systems are suchassumptions that federated service providers (e.g., super-peers)will largely act honestly” [26].

P2P PHS ArchitectureOn the basis of the discussion of the different forms of P2P PHSarchitectures in the previous section, the combination of multitierstructure and hybrid P2P architecture appears to be mostappropriate for P2P PHSs; therefore, we propose an architecturewith the following abilities (Figure 3): (1) enforcement of dataprotection requirements similar to that of HIPAA and semanticcompliance through super peers as central index servers; (2)registration and identity verification; (3) higher scalability andavailability of resources and lack of single points of failure; (4)association of patients (tier 5, Figure 3) with their respectivePHS providers (tier 3, Figure 3) and practitioners (tier 4, Figure3); and (5) faster PHS updates with security patches throughthe super peer networks. The P2P PHS network is an overlayof the modeled hierarchical relationships between the tuplecenter and PHS providers, PHS providers and practitioners, andpractitioners and patients.



XSL•FORenderX



Figure 3. Proposed peer-to-peer (P2P) high-level architecture for patient-centered health care information system (PHS). An aggregate relationshipexists between the practitioners and the patients. The patients control the access to their health data, and other entities require patient permission toaccess a patient’s medical data, for example, by using tokens as currently being implemented in the MedicalChain PHS project [11].

Large health care IT organizations (eg, the German HealthcareTechnology Infrastructure; HTI [2,65]) are represented at thetop of the hierarchy in the architecture to facilitate certificationof various PHS providers (tier 1, Figure 3). They define andenforce the implementation of various data regulations,representation standards, and ontologies (eg, Health Level Sevenand Fast Health care Interoperability Resources [6]) to shareheterogeneous medical records across PHS networks. In thesecond tier, a distributed public network of tuple centers (eg,certified through a national health agency) is provided by trustedthird parties (tier 2, Figure 3). Agent-based systems (as incentralized P2P PHSs [51]) can be used across P2P networkswith the tuple centers' action-reaction rules for communicationevents [51]. Agent co-ordination models can handle servicesfor data semantics and peer lookup services while serving as

mediums for data sharing between P2P PHS providers, but theactual inter-PHS communications are performed in a P2Pmanner. P2P PHS providers can subscribe to any certified tuplecenter. Communication of a PHS provider is limited tocommunication with other subscribers to the PHS provider’stuple center subscriptions.

PHSs can be provided by any party. In our scenario, weexemplify hospitals (hyper peers—managers of super peers andother peers in the network) as PHS providers. The hyper peersrelay requests and responses among all subpeers across multihopnetworks. Each hyper peer has its own separate private cloudserver, which stores a digital and secure copy of patient healthrecords (Figure 3). These records are a replica of the dataavailable on the patient’s local storage but are only madeavailable in the hyper peer’s private cloud if a patient subscribed



XSL•FORenderX



to the corresponding additional PHS features (eg, for databackup, ease of remote data sharing, or emergency access).Accessibility and availability traits of the stored common peers’data on the private cloud are in the control of patients throughtheir local PHS client software. This topology can have 2 issues:(1) similar records of patients are stored locally on their mobiledevices and the cloud, which appears redundant, but thisredundancy curtails connectivity pitfalls while preserving P2PPHS features in terms of offline capability, and (2) the cloudstorage can become inaccessible when the local patient PHSdevice is lost when the device is used as the source of patientidentity verification and access authorization for cloud storage.

Each hyper peer has multiple health practitioners in the network,which maintain patients’ public identities (under the control ofDHT [55,66]) for lookup functionality and ease of data access;therefore, a patient (common peer) can be associated withmultiple practitioners from various hyper peers (practitioner A,B, C, etc). In such cases, these hyper peers can communicatevia tuple centers. This way patient data stored on a cloud ofhospital B can be accessed by practitioners in hospitals A or Cfor diagnosis or treatment, given that the patient grants accessrights. Each common peer on the network (corresponding to apatient) is modeled on the local PHS and on the hyper peer’sprivate cloud server. Common peers can grant access to theirhealth records to any party through single-hop radiocommunication (without involving a third party in thecommunication, eg, Wi-Fi direct) or multihop networkcommunications via the cloud storage of the hyper peers [65].Other parties, such as researchers looking for data for researchpurposes, can obtain read-permissions for patient records byinteracting with the practitioner via the hospitals' privatenetwork, which forwards permission requests to patients.However, only aggregated results (anonymized) are returnedto the researcher. Moreover, wearable mobile devices andbiotechnologies that provide biometric or psychometric datacan also be directly connected to a patient’s P2P PHS.

Methods

Literature SearchWe conducted a systematic literature review (Figure 4)following the PRISMA (Preferred Reporting Items forSystematic Reviews and Meta-Analyses) reporting guidelines[67,68] and used thematic analysis to guide the data analysisprocess [69]. The systematic literature search in this study wasconducted using specialized academic search engines (IEEEDigital Library, PubMed, Science Direct, ACM Digital Library,Scopus, and Semantic Scholar; see Multimedia Appendix 1 forfurther details). The search was conducted on articles publishedbetween 2008 and 2020. The study selection was organized intothe following phases.

1. The search string was derived by breaking down theresearch question into different facets, where theiralternative definitions and acronyms are included andcombined using the logical operators “OR” or “AND” [68].The search string “(P2P OR Peer-to-Peer) AND(vulnerabilities OR vulnerability OR threats OR threat)”was applied to the title and abstract and adapted to thespecific syntax of the used search engines.

2. Eligibility criteria: we included all articles that could beaccessed, were written in English, were published inacademic outlets, and identified inherent security issues forPHS deployment on P2P networks, as suggested forthematic analysis [69].

3. Abstracts of the filtered articles were further analyzed bythe authors to remove irrelevant articles based on eligibilitycriteria and other false-positive results.

4. Articles were grouped and duplicates were removed.5. The remaining articles were read in full text and analyzed

by the authors (assisted by Atlas.ti software [70] to managecodes and themes for thematic analysis [69]) to includeonly relevant studies based on the eligibility criteria definedin step 2.



XSL•FORenderX



Figure 4. PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) flow diagram. P2P: peer-to-peer.

Identified ArticlesInitially, 102,851 articles were identified using the search string.The filtered articles were screened based on their titles usingthe same search strings. A total of 99.29% (102,121/102,851)false-positive results were removed. Further examination of theabstracts of the remaining 0.71% (730/102,121) articles resultedin the exclusion of 0.67% (685/102,121) articles. The mainreason for exclusion in this step was a lack of thematic fit withour study (eg, a focus on P2P currency exchange or lendingplatforms or security issues for largely unrelated technologiessuch as robotics). We analyzed the full text of the remaining0.04% (45/102,121) articles, and 0.01% (7/102,121) furtherarticles were excluded. We complemented the result set with0.01% (11/102,121) additional articles that met the eligibilitycriteria but not the inclusion criteria (eg, published before 2008).Ultimately, 0.05% (49/102,121) articles remained.

Thematic AnalysisData analysis was guided by thematic analysis [69] to identifythe relevant themes in the identified articles. The initial codingwas performed by the first author and refined and finalized ingroup discussions with the other authors. The themes (codes)

were identified using the key security goals (theory-driven)from the CIA (ie, confidentiality, integrity, and availability)triad as organizing codes for data analysis (assisted by Atlas.tisoftware [70] to manage codes and themes for the thematicanalysis). Confidentiality entails that unauthorized actors cannotaccess information during transmission, processing, or instorage. Integrity requires that the information not be modifiedunintentionally or without authorization. Availability meansthat the system is accessible to the user when needed. For eachof the codes identified, we looked at the impact of the securityissues associated with the codes to examine their impact on P2PPHS (eg, potential for unauthorized access). We theninvestigated and rated the consequences of potential exploitsof P2P-PHS security issues based on the Common VulnerabilityScoring System (CVSS; see Multimedia Appendix 2 for furtherdetails).

The systematic literature review revealed 8 main P2P securityissues (list of themes) extracted through data analysis and 7factors promoting them. Table 2 shows the summary—generatedcodebook—of the security themes identified along with theirsources and exemplary codes used to derive the themes duringthe thematic analysis process.



XSL•FORenderX



Table 2. Overview of peer-to-peer security themes identifieda.

StudyCombined themes, second-order themes, and first-order themes

[71-81]Pollution

Metadata pollution • Changing original file name or extension• Replacing the file with a misleading one

Index pollution • Claims ownership of wanted but bogus content• Sharing of the content record via the index

Content pollution • Modifying the file content• Replacing the file with an incorrect one

[78,81-91]Malware

Virus • Infection of the system• Appears to be part of legitimate programs

Spyware or ransomware • Spying or stealing user data• Encrypts any kinds of files and data

Worm • Infection of P2Pb routing table• Appears independent of existing programs

[35,80,82,92-95]Social engineering

Baiting • Tricks user to divulge sensitive information• Relies on human error or mistakes

Phishing • Scam via email or SMS text messages• Trick into divulging sensitive information

[35,43,45,47,56,71,73,77,81,89,95-102]Poisoning the network

Index poisoning • Sharing of bogus contents via indexing table• Affects network quality of service

Routing table poisoning • Sharing of bogus contents via routing table• Prevents from finding correct resources

[26,52,54,56,63,72,76,81,84,92,103-112]Sybil

Faking identity • Faking multiple identities for a single user• Affects the redundancy property of P2P systems

51% attack • Outvoting of honest nodes in the network• Cheating without being detected

[47,54,56,72,77,79,81,92,93,105-108,113-116]Eclipse

Large man-in-the-middle • Separating the network into several portions• Acts as gateway and disrupts message flow

[43,45,72,76,77,80,81,84,88,92,94,95,97,98,100,102,105,110,117-119]DDoSc

Flooding • Invalid packets flood the network• Impedes delivery of normal packets

TCP-DDoSd • Connection overload with full TCP-requests• Denies connections from legitimate requests

[46,100,120-122]P2P traffic blockade

Port number blockade • Blocking of P2P network traffic• Imposes bandwidth limits with P2P networks

aThe first- and second-order themes are only examples and not exhaustively listed.



XSL•FORenderX



bP2P: peer-to-peer.cDDoS: distributed denial-of-service.dTCP-DDoS: transmission control protocol–distributed denial-of-service.

Results

Factors Promoting Security Issues in P2P NetworksTo use a P2P network for resource-sharing,multimedia-streaming, distributed-computing, or telephonyapplications, users install a P2P application on their device andpermit the application to access and use device resources suchas cameras, microphones, or device storage. In P2P operation,the P2P client application reads files from the user’s disc duringthe uploads and writes to the user’s disc during download.During this operation, personal or sensitive information can betransmitted to the network.

Inadvertent Sensitive Information DisclosureIt is often not necessary that users’ confidential or personaldocuments be exposed by worms or viruses, as many usersinadvertently expose these documents [123]. For example, anode may request data X from the user, and the user sends backthe entire folder where data X is located. The user may end upexposing all of their sensitive information for the followingreasons: (1) a user does not appropriately select or share therequested data, (2) the interface design of the P2P applicationconfuses the user, and (3) the requester offers a huge incentiveto share. In 2012, an automated personal health informationtool was used to crawl different P2P networks (FastTrack,Gnutella, and eD2K) to analyze Canadians’ personal healthinformation and personally identifiable information in theexchanged text files [83]. Out of the 3924 P2P files withunknown content, 1.45% (57/3924) of files were flagged aspersonally identifiable information. Manual analysis of the 57files revealed that 19% (11/57) contained health information

about an identifiable individual, that is, inadvertently disclosedhealth information.

In 2019, a survey identified human errors, such as sendingpersonal information to unintended email recipients or releasingpersonal information by accident, as the largest source of databreaches in the health sector [39]. Similarly, several peers werefound to be inadvertently sharing their financial, email, and webcache data in a study on the KaZaA P2P network [124]. Inaddition, some P2P users share their personal informationintentionally to increase the number of files shared on thenetwork to meet the participation requirements of some P2Psystems [85].

Set-and-ForgetP2P clients tend to be set-and-forget applications that run in thebackground [85,123,125]. This means that the user is notcautiously tracking the activities of the P2P client, whichincreases the opportunity for abuse.

No BordersGeography is largely irrelevant in P2P networks [85], and noregion is safer than the other. A computer in Australia orArgentina becomes part of the same network as a computer inNigeria (Figure 5). In open P2P networks, files can undoubtedlymigrate globally, and threats can come from any region of theglobe. Hence, the heterogeneity and geographically dispersednature of P2P networks can be a problematic factor affectingsecurity, quality of service guarantees, and scalability. However,studies have shown that P2P networks converge to a certaindegree of geographical clustering [85,126]. Users may chooseto download and share content from their region to have lowernetwork use and latency than when downloading or sharingcontent outside their region.

Figure 5. Geography example of a peer-to-peer (P2P) network.



XSL•FORenderX



Growing Use and Network HeterogeneityAs a P2P network grows, an increasing number of leaks ofconfidential files will occur in the network. In 2017, nearly 27million P2P users downloaded and shared files on P2P networksdaily, which is 17 million more users than in 2006 [127,128].Moreover, P2P networks are heterogeneous and fast-moving;hence, users may not be able to keep track of security issuesand developers may neglect them [85].

No Content VerificationConventional P2P networks have no trust mechanism to assistusers in deciding whether to share or download content in thenetwork. Similarly, they have no central authority responsiblefor verifying the authenticity of the resources shared by users[80]. Hence, there is no guarantee that users are sharing thecontent they promise. This makes it easier for an attacker tospread malware across a P2P network, for instance, to conductfraudulent activities or pollution attacks [72].

Digital Winds Spreading FilesTypically, P2P networks create file indexes using the names ofthe files and the associated metadata [123]. This constitutes asecurity issue, as it allows anybody to easily discover files inP2P networks. For example, an opportunistic search with keyterms related to the top 10 publicly traded health care firms inthe United States revealed 20,000 patient records, 4 patientswith acquired immune deficiency syndrome (AIDS), 201patients with a mental diagnosis, and 326 patients with cancer[125]. The approaches that some P2P clients use to create andmanage file names have serious implications in exposing users’private and confidential information. This can be a problematicfactor regarding security because users’ sensitive files can beeasily discovered owing to poor P2P client design.

Snooping NodesThis factor enables attackers to leverage the open nature of P2Pnetworks [100]. The long routing paths across several nodescreate a loophole for malicious activity [94]. Peers in aprivileged position in the network (eg, super peers) are able tosee the communication of other common peers in the network.For example, decentralized P2P systems such as Gnutella [35]have no central servers or auxiliary mechanisms to co-ordinatecommunication among users, but when a new user connects tothe Gnutella network, it chooses a node as its permanent entrypoint [115]. Thus, high-speed nodes are inadvertently placedin the central part of the topology and can observe thecommunication of nodes in their local subgraph. Moreover,communication in P2P networks stops being anonymous assoon as the source node establishes a direct connection to adestination node to download files [35]. The IP addresses ofboth nodes are exposed to each other, which creates anotheropportunity for abuse. Once the identity of the peer is revealed,further attacks can be carried out [96].

Identified Security Issues and Their Impact on P2PPHSs

PollutionPollution is a form of attack in which an attacker modifies theoriginal content (through mixing or substituting) so that it has

no use or is of low quality [72,79,81]. The polluted contentappears to be legitimate content (eg, by having a similar size,format, and title) to trick users to download it. However, thealtered content may be malicious, fake, or corrupt. This affectsthe network’s quality of service (especially in file, voice, andvideo-based P2P streaming systems [72,73,75,79,80]), overallsystem energy consumption [74], content availability [78], anddata integrity [72]. Pollution is an easy and fast way todisseminate worms or viruses from one to many peers in thenetwork. Therefore, pollution can have an exponential impacton the security of the entire network [72]. The pollution attackwas first discovered in 2005, where a crawler was used toretrieve super peers in the KaZaA P2P network [73]. Analysisof the contents collected by the crawler revealed that over 50%of welcome copies (ie, introductory files for a collection of files)for musical files in the KaZaA network were polluted [73].Pollution is a serious attack on P2P networks, even in a scenariowith only one polluter [72,75]. The impact grows when thenumber of polluters or peers attempting a request increases [75].As a result, peers often require multiple times the networkbandwidth they need in a network free from pollution [75].Furthermore, the attack is persistent. Even if the pollutedcontents are identified and blocked by the network, the pollutersmay remain alive in the network by disguising their identitiesand can keep polluting the network.

Pollution is categorized based on the attackers’ strategy: (1)metadata pollution, where a file extension or name is modifiedand replaced with a misleading one; (2) content pollution, wherethe file content is changed; and (3) index pollution, where anattacker claims ownership of an unindexed bogus file anduploads its record (IP address, port number, etc) to the entities(eg, super peers on hybrid P2P) that maintain such records fordistribution [73,77]. In most cases, the polluters also attacklegitimate peers’ reputations or boost their own reputationthrough whitewashing attacks [75,76]. Content pollution is themost popular and common attack in P2P streaming systems[74]; it was detected in 50%-80% of files in KaZaA and about50% of popular files in eDonkey [73,74]. Pollution is notnecessarily caused by malicious users; P2P systems arenotorious for illegally sharing and disseminating copyrightedcontent, and content is often polluted by copyright owners as acountermeasure to protect their rights when legal actions fail[71,72]. To facilitate the protection of copyright claims, someP2P system providers even weaken protection from pollutionattacks in their network [73], although this affects the confidenceof users in such systems [72,73].

Impact of Pollution Attacks on P2P PHSsSuccessful pollution attacks on P2P PHSs can be devastatingbecause of the higher integrity and availability requirements ofmedical data than data shared in other P2P systems. Theconsequences of its exploitation could be between low and high,depending on the level of access gained; pollution attacks oftenserve as a gateway to identify vulnerabilities (eg, unverifiedinputs that can be used for SQL injection attacks [129]) andmount further attacks (eg, ransomware attacks). For example,in 2020, a patient in need of emergency care due to an aneurysmdied in Germany during a ransomware attack in a hospital. Theransomware attack caused a network outage that disrupted



XSL•FORenderX



emergency services, and the patient was sent to a health carefacility approximately 20 miles away [130]. This diversiondelayed the treatment of the patient by an hour and she died[130]. The openness of P2P systems allows polluters to easilyjoin and leave the network [20,56]; however, identityverification (eg, via insurance, job contract, token, etc) andmultifactor authentication concepts for P2P PHSs could createan additional layer to reduce the vulnerability of the network.Patients or practitioners polluting a P2P PHS through theirlegitimate accounts can easily be traced; however, in somesituations, a double-faced user (legitimate but malicious) couldleverage open-source hacking tools such as Burp Suite [78] to,for instance, alter an http request payload with an anonymousID, add polluted content, and forward it to the contentdistribution network of a hospital to harm the network.

MalwareMalware refers to a wide range of attacks that compromise asystem without the knowledge of the system owner [84,90].P2P networks present a greater risk for receiving malware; forexample, only 3 strains of malware infected over 68% ofcompressed and archived files on the Gnutella network [84]. Inthe first 3 quarters of 2019, 7.2 billion malware attacks werereported globally [91]. In P2P networks, malware ispredominantly used to create botnets by leveraging worms[84,89,90].

A botnet is a network of infected nodes that are usuallycompromised by worms or viruses. Individual bots in the botnetonly use a small portion of the infected resource to remainconcealed and create only barely noticeable traffic to share datafrom the compromised computers with the target [88,89]. Thebots are controlled by an attacker (botmaster) throughcommand-and-control servers [89].

A worm is independent and neither requires a host application[84,87,92] nor human intervention [82] to propagate andreplicate itself over a network. Worms can result in a high falloutin combination with other vulnerabilities and propagatethemselves over email attachments, web server infections, filedownloads (counterfeit worms), or other legitimate networkactivities (silent worms) [78,81,82,84,87]. Passive (counterfeitand silent worms) and active worms are 2 broader categoriesof P2P worms; they both propagate like a biological virus, butthe former waits for victims to infect, while the latter activelysearches for new targets [84]. The threats to the amplificationof worm-based attacks in a P2P network are high, and the impactgrows based on network size, topology degree, or hostvulnerability [78]. In contrast to the internet, where worms needto randomly search to identify vulnerable hosts, P2P wormsspread rapidly and infect all nodes in the network almostinstantaneously [84]. For example, the Antinny (passive andcounterfeit) worm that appeared on the Japan-based Winny P2Pnetwork led to the disclosure of a large amount of private data:thousands of patient health records, customers’ identifiableinformation, top-secret military information, and documents ofa county police investigator, yielding information on majorinvestigations on 1500 individuals [85,86]. Furthermore, in2001, in less than 14 hours, the Code-Red worm (active) infected

over 350,000 systems and caused more than US $1.2 billion indamages in the first 10 days of its circulation [78].

P2P worms are some of the best facilitators of botnet-basedattacks and internet worms. P2P networks are, for instance,known for sharing gray content, such as pornography and piratedstreaming media. This can lead users to incautiously monitorunusual behaviors in the network [78,84,85]. Active P2P wormshave different attack strategies: pure random scan (PRS), offlinehit-list scan, and web-based scan [78,82,84]. The PRS is astarting point, information gathering stage, and is the mostcommonly used strategy [78]. PRS is useful when the infectedhost (bot) possesses no prior vulnerability information ofpotential targets and randomly selects and mounts attacks ontargets to propagate the infection, for instance, using randomIP addresses searched from the global internet address space[78,82,84]. The offline hit-list scan is a more powerful strategy:the attacker collects and continuously attacks targets using DNS,network topology, and routing information of P2P systems (eg,using crawler tools [83]) until all the hosts in the hit-list arescanned, and the newly compromised bots attack using the PRSstrategy [78,82]. Instead of an offline hit-list, the web-basedscan strategy primarily launches attacks on its web-based P2Pneighbors, and then the worm disseminates further using PRSthrough the infected worm hosts [78,82].

Impact of Malware on P2P PHSsRansomware constitutes the biggest threat with 151.9 millionattacks globally in the first 3 quarters of 2019 [91]. Moreover,ransomware attackers are shifting tactics to target higher-valueinstitutions, such as hospitals [91]. In 2017, a malware was usedin the WannaCry ransomware attack, which infected more than230,000 computers worldwide [131]. In the British NationalHealth Service, WannaCry disrupted scheduled treatments inmany hospitals, resulting in total damages of around £92 (US$12.6) million in the United Kingdom [132]. The malwarehijacked users’ data, encrypted the data, and blackmailed usersbefore decrypting their data [133]. For health data on P2Pnetworks, which have a less controlled infrastructure,ransomware attacks can become easier.

The effect of malware on P2P PHS could be high, although theseverity of malware attacks is context-dependent. The effect ofmalware, such as Antinny [85,86], Anatova [134], or Code-Red[78], on P2P PHSs will be detrimental if it denies patients andphysicians access to the PHS, steals patient data, or hijacks andencrypts data for ransom. Structured P2P PHSs, similar to ourproposed architecture (Figure 3) or the e-toile framework inSwitzerland [21], could be less vulnerable to malware incomparison with unstructured P2P PHSs. This is due to thepossibility of using control measures on the index and DHTnetworks [55,66]. The factors that increase the attack surfaceinclude that P2P client applications tend to be set and forget[85,123,125] so that they run in the background while the useris not monitoring its activities and that there is no centralizedcontrol to detect and prevent attacks in P2P networks. Theimpact of malware could also escalate beyond the boundary ofthe P2P network and impede usability features such asemergency access or guardian support. In P2P PHSs, thesedisruptions can occur on a greater scale than in the example in



XSL•FORenderX



the previous section, where a single patient could not be treatedin a hospital because of a ransomware attack [130].

Social Engineering AttackSome P2P clients are being used by users with limitedknowledge of computers and information security [80,94,95].Depending on the nature of the target network, the effect ofsocial engineering attacks—an attack on the users involved ina system [93]—can facilitate exploits of other vulnerabilities.P2P worms such as silent worms (eg, VBS.Gnutella worms[82]) are based on social engineering, disguise themselves,attach to a known file, and wait to compromise victims [93].Moreover, some P2P systems (eg, Napster and BitTorrent [92])implement mechanisms in which the users are incentivized toshare resources or content to gain greater performance andaccess to content; therefore, experienced users or attackers canexploit the eagerness and likely incautiousness of new users todeceive them and obtain confidential information, which couldbe used to conduct malicious attacks. Owing to theset-and-forget nature of P2P file-sharing applications [35], usersmay not realize the breach of confidentiality risks when usingthem, which increases the chances of abuse.

Impact of Social Engineering on P2P PHSsSocial engineering can affect all types of P2P PHSs, where anattacker can easily leverage the user layer to deceive patients(older adult patients are more vulnerable to this attack thanothers [135]). In the case of P2P PHSs, the threat impact couldbe one user at a time, with the probability of escalating andaffecting others in the network. Social engineering can beobserved as an intelligent information gathering stage forattackers to mount other attacks [129], such as scammingpatients to obtain, for instance, access credentials to their P2PPHS accounts. Depending on the attackers’ goals, they maymodify patients’ health records or upload malware to the P2Pnetwork to affect patients’ lives, health, location, privacy,behaviors, or activities [93] and sabotage the PHS and itsproviders.

Poisoning the NetworkPoisoning can be performed either by index poisoning or byrouting table poisoning [102]. Many P2P systems have a lookupservice using indexing or routing table techniques [35,47,95].A poison attacker can use this to inject invalid information suchas bogus resource identifiers or fake IP addresses into the lookupservice. An index poisoning attack affects the index of P2Psystems [43]. Injecting invalid information in the index orrouting table can slow down the query, prevent others fromfinding the correct resources, or result in a peer wasting timeconnecting to invalid peers [100,102], which eventually affectsthe P2P network’s quality of service [101]. Some anticopyrightinfringement organizations use poisoning attacks to prevent thesharing of pirated content on P2P networks [89,99,100]. Theseattacks are performed by identifying and poisoning the IPaddresses of the servers for pirated content or using their IPaddresses as evidence to sue the content server or P2P systemproviders [71].

An index maintains records in a centralized manner (eg, Napster[50], P2P PHR [6], or e-toile framework [21]) and enables users

to locate resource owners’ IP addresses and port numbers. Inindex poisoning attacks, the attacker aims to compromiseindexing peers (peers that participate in the indexing) by addinginvalid information into their local indexes by simply sharingthe bogus information with the indexing peer [43,81].

A poison attacker can also attack a specific host; for example,if the attacker wants to conduct a DDoS attack on the applicationserver at host 129.13.152.6, the invalid information may include129.13.152.6 for the IP address and 80 for the port number.Once the indexing peer has been poisoned, another peer cansearch for a resource and eventually receive invalid informationfrom the poisoned peer and try to download the resource fromthe victim host. Before downloading the resource, thetransmission control protocol (TCP) connection is establishedwith the victim host using invalid information. To downloadthe resource, the requesting peer sends a message to the desiredresource. When many peers try to download the resource fromthe victim host, a TCP-connection DDoS comes into effect[43,97,98].

Structured P2P systems (eg, P2P IHE [51], our proposed PHSarchitecture [Figure 3], Chord, and Kademlia [35]) arevulnerable to poison attacks [95], although resource discoveryis under the control of data structures (eg, DHT). In routingtable poisoning, the poison attacker exploits the fact that eachpeer in a DHT-based P2P system maintains the routing tablesof its neighbors [47,56,73,77,95,96]. Each entry in the tableincludes the neighbor’s identifier, IP address, and port number.The attacker can deceive participating peers by injecting invalidneighbors into their routing tables. The poisoned peer maychoose an invalid neighbor in its routing table and forward itsmessages. If the routing tables of many peers are poisoned withinvalid information and each entry points to the IP address ofthe victim host, the target receives a flood of messages fromthe DHT [95]. A further type of content pollution attack is acombination attack that combines index poisoning andfake-block attacks to have a higher impact [45,77]. In this case,poison attackers use an index poisoning attack to include theirIDs in the invalid information to be advertised. If the victimsestablish the connection through the invalid information, theymay connect to a poison attacker, so that the attacker can feedthe victims with fake fragments and impose more harm on them.

Impact of Poisoning Attacks on P2P PHSsCentralized P2P PHSs, such as P2P PHR [6] and the e-toileframework [21], could suffer the worst effects of poison attacksbecause they can cause DDoS or entire network failure anddisrupt the services offered by PHSs. For example, in the e-toileframework [21], a list of health care stakeholders and theiraccess rights, data exchange, and authentication is managed bya central index server; poisoning such an index could mean that

the data of a patient registered with PHSX in need of emergency

care at a remote hospital that uses PHSY could be inaccessible

to practitioners. Even if the networks of PHSX and PHSY arenot affected, the single point connecting the PHS providers isdisrupted. Depending on the urgency of a patient’s need fortreatment, the need for access to health data, and the longevityof the attack, the patient’s health and life could be adverselyaffected. In some P2P PHSs (eg, P2P PHR [6] or P2HR [20]),



XSL•FORenderX



peers’ IP addresses are exposed to facilitate health informationexchange between different health entities; this makes the attackeven easier. For our proposed P2P PHS architecture (Figure 3),there is a federation of PHSs and tuple center providers. Withinthe context of the previous scenario, access and data exchange

will not be impacted if PHSY is in the same tuple group as PHSX.

Sybil AttackThe name Sybil attack was coined by Microsoft Research in2002 based on the book Sybil about a patient, named Sybil,diagnosed with dissociative identity disorder [111]. In computersecurity, Sybils refer to multiple identities of a single user onthe same machine; this user can become powerful and controla significant part of the network or use the identities to influencethe system behavior [54,56,81,109,110,112]. In DHT-basedP2P systems, a user can locally generate multiple node IDs formany node instances on the same machine [108]—on the Kadnetwork, a single node can select multiple IDs concurrently[107]. The creation of Sybils is considered the most harmfulbehavior on a P2P system [54], as it offsets the network’sredundancy property [81]. Sybil attacks occur in a P2P network,when the reputation mechanisms are compromised [72], secureauthentication mechanisms are not implemented (eg, no proofof identification is required for registration in the P2P sessioninitiation protocol network [106]), or verification of a client’sIP address and its maximum number of connections per ID isnot implemented (eg, Kad network [98]). Limiting the number

of connections per IP address (eg, in eDonkey [84]) does notprevent Sybil attacks because attackers can bypass this by havingmany virtual IP addresses. It seems that there is no clear anddefinite solution to prevent Sybil attacks [26]; this is due to theopenness and lack of admission control mechanisms in P2Pnetworks.

Sybils are used by attackers to conduct massive and organizedattacks on P2P networks [92]. For example, eclipse attacks [54]amplify Sybil attacks through the combination of Sybil and IDassignment or mapping attacks [105], which assigns identifiersnear the same portion of the ID space to sufficient Sybil nodes(Figure 6). This enables the attacker to own a deciding powerof where in the ID space the new nodes are placed. When theattacker owns more nodes than the benign nodes in the segment,the attacker can control messages in the segment, bias reputationscore, create DDoS situations, or force servers to exceed theirCPU capacity [26,76,84], which is also known as a gatewayattack [92]. In blockchain P2P networks, Sybil attacks are, forinstance, used by attackers to outvote the honest nodes in thenetwork [52,63,104], which enables the attacker to cheat withoutbeing detected. After a successful Sybil attack, attackers cantransmit or discard blocks, effectively block other users fromthe network, carry out 51% of attacks to change the order oftransactions, prevent transactions from being confirmed, or evenreverse transactions that they made, which can lead to doublespending [103].

Figure 6. Example of Sybil attack [92]. The attacker placed his malicious nodes on one side of the network segment. Placing many malicious nodesin the network enables the attacker to gain control of the activities of one-half of the network.

Impact of Sybil Attacks on P2P PHSsSybil attacks are helpful for attackers to disguise their identities,access vital information managed in the PHS index service,monitor communications between users, steal patient data, orpollute the entire network to disrupt the entire PHS serviceoperation, which would affect patients’ health and life andsabotage the PHS provider's reputation. In our proposed PHSarchitecture (Figure 3) or the e-toile framework in Switzerland[21], the national health IT agencies are tasked with effectivelyhandling health care stakeholders’ registration, authentication,and verification; therefore, freedom to create multiple concurrent

IDs on the same system by any malicious user is reduced bydesign. P2P PHSs, such as P2P IHE [6,51], could be morevulnerable to Sybil attacks due to the difficulty in establishingcontrol mechanisms in a decentralized network. In any case,attackers can leverage Sybil attacks to steal patients’ identities(eg, for insurance coverage or blackmail).

Eclipse AttackAn eclipse attack is a large-scale man-in-the-middle (MitM)attack that is commonly executed at the P2P network level[54,92]; routing, sniffing, and traffic analysis attacks are variants[56,79,81,93,105,106,115,116]. An eclipse attack aims to



XSL•FORenderX



separate the entire network into 2 or more partitions (Figure 7)by placing malicious nodes in a strategic routing path of theP2P network [105,106,108] to surround benign nodes withmalicious neighbors [77]. In most cases, the routing mechanismsare attacked [47]. This is accomplished by adding the attackers’addresses to the neighbor list of the benign nodes [54,81] orthrough fake routing updates and incorrect routing [105]. Oncethe network is fully segmented with malicious nodes in betweenthe partitions, the attacker can act as a gateway and disrupt the

information flow between the network partitions, exclude groupsof nodes from the network, or steal peer identities [54,77]. Thisaffects the reliability, autonomy, and connectivity between peersand the CIA properties of P2P networks [72,106,114]. Inaddition to mounting an eclipse attack by manipulating theoverlay network, an attacker that has collected a significantnumber of peer IDs and acts as a neighbor of benign nodes caneasily mount eclipse attacks [54,77,81,107].

Figure 7. Example of an eclipse attack [92]. The attacker successfully segmented the network into 2 ID spaces. The communications between the nodesin the network must be forwarded by the malicious nodes.

Successful eclipse attacks require attackers to possess a highproportion of fake nodes in the network and a higher numberof direct routes coming to their nodes than to the average benignnodes in the network [54,77,81], especially in networks withrelaxed rules for maintaining the routing table [92]. P2P systemsthat have no control over node placement in the ID space (eg,Gnutella [54]) or freedom of choice for identifiers (eg, Kad[107]) are highly vulnerable to eclipse attacks. P2P networksare more susceptible to eclipse attacks when they are new [54].

As seen in the Bitcoin network, a botmaster with as few as 24IP address blocks can eclipse any node with a minimumprobability of 85%, irrespective of the number of nodes in thenetwork [114]. Despite new security patches that address eclipseattacks on the Bitcoin network, a novel form of eclipse attack,EREBUS, was found [113], which partitions the network andaffects Bitcoin nodes' peering decisions. This shows thelikelihood of exploiting eclipses in P2P networks.

Impact of Eclipse Attacks on P2P PHSsThe lack of freedom to select and place identities and thepresence of a control infrastructure in centralized and hybridP2P PHS (eg, our proposed architecture [Figure 3] or the e-toileframework in Switzerland [21]) reduces the impact of any formof eclipse attack on P2P PHSs. This could be higher fordecentralized P2P PHSs such as P2P IHE [6,51] because of theabsence of centralized trust and control infrastructures and thepresence of eclipse attack vectors such as resource routing

mechanisms in the network [47]. In addition, a successful attackcould allow an attacker to eavesdrop on the conversationbetween users in the network without potentially compromisingthe patient's system. P2P PHSs on a patient device can beconfigured with wearable smart sensors to allow healthpractitioners or an embedded machine learning model to monitorvital parameters (eg, heart rate variability). In the case of asuccessful MitM attack on such P2P PHSs, the practitioners ormachine learning models may receive unreliable data, whichcould lead to poor therapeutic or diagnostic decisions and evenloss of life [93,135]. An attacker can also share fake messagesthat an older adult has fallen in order to summon the next-of-kinor emergency services or use the patient's location or personaldata for blackmail [93,135].

DDoS AttackA traditional denial-of-service (DoS) attack stops a service[92,94]. Query flooding is the most common resource and keyto mounting DoS on P2P networks [77,105,117]. Invalid orcorrupted packets flood the network [95] and impede thedelivery of valid requests or messages in thenetwork—byzantine attacks [119]—and therefore stop allcommunications passing through the affected routes. A DDoSis said to occur when constant streams of invalid packets floodthe network in such a way that a single node has to deal withmassive traffic and runs out of bandwidth[43,80,81,92]—bandwidth attacks (Figure 8). A lack of centralauthority can be the root cause for DDoS [97], but the root cause



XSL•FORenderX



can also be due to the absence of mechanisms that verifyresponse messages from other nodes (eg, in Kad [98]). Manynodes (or zombies controlled by attackers, where each zombiemay control other attacking zombies) participate in DDoS

attacks [81,88], while the source of the attack is hidden behinda separate layer or through spoofed IP addresses [84,92,105].This disguise of the attackers makes it difficult to detect thembecause they are often only indirectly involved [81].

Figure 8. Example of a distributed denial-of-service (DDoS) attack [92]. The attacker successfully executed the DDoS attack and compromised manynodes in the network. The normal nodes cannot establish connections to other normal nodes.

The previously discussed index and DHT routing table poisoningattacks and file request redirection (or topology change) attacksare other methods of mounting DDoS [77,84,98,102,110,118].A file request redirection attacker (chatty peer) advertises thepossession of many false resources that are rare in the P2Pnetwork and then establishes several TCP connections with thevictims (requesting peers) [45,100,102]. However, if therequesting peers ask for the blocks of the requesting resource,the attacker only resends handshake messages to the victimsand never uploads any blocks. This makes the requesting peersspend much time waiting in vain for the attacker's response andblocking other legitimate users from making connections tothem. As such, TCP-connection DDoS comes into effect andaffects the availability of entire P2P networks [72]. Arequest-redirection DDoS attack on internet equipment wasused to shut down tech giants’ websites (eg, Yahoo andAmazon) in February 2000 [84], which shows the impactseverity of DDoS on any network.

DDoS is an active attack that makes it more aggressive. Anattacker often attacks the network to prevent certain users fromperforming their tasks or put the system out of service in oneor many segments of the underlying infrastructure [76,84]. Theprobability of a DDoS attack is high in large P2P networksbecause nodes have to be reachable (usually outside of firewallsrestrictions, etc) by the network [92,117]. Depending on thenumber of zombies, DDoS on decentralized P2P networks maybarely affect the entire network, except for a certain number ofaffected peers. On the contrary, the impact could be higher oncentralized and hybrid systems because communication relieson a single entity that is reachable throughout the network orsubnetwork. The higher the number and diversity of nodes

involved in the DDoS, the more difficult it is to be blocked[81,97].

Impact of DDoS on P2P PHSsWhen P2P PHS providers are hospitals, as in our proposedarchitecture (Figure 3), and store all patients’ medical records,a successful DDoS attack on the network (index or super peers)will have severe consequences. The effect could disrupt thenetwork and data access and cause a delay in treatment and evenloss of life (eg, the case of a patient who died after a malwarehit a hospital in Germany [130]). In some centralized and hybridCOVID-19 contact tracing systems (eg, PEPP-PT [22] andTrace-Together [23]), the identifiers (ephemeral IDs) that areused to share exposure notifications during smartphoneencounters are generated through a central authority (eg, ahospital) and enough of them are generated in batches, for futureuse and for constructing contact graphs of users when they areinfected [136]. A DoS on this server could prevent the IDs andrelevant estimations to reach the targets, and the affected personswould have a false sense of safety since they are no longernotified about encountered contacts. In any case, the effect ofDDoS is likely higher in centralized and hybrid P2P PHS thanin decentralized P2P PHSs such as P2P IHE [6,51]. This isbecause of the presence of single points that manage other usersin the network. However, centralized control mechanisms alsoease the tracing of attackers and reduce the probability of DDoSattacks.

P2P Traffic BlockadeIn 2008, P2P networks accounted for almost 53% of internettraffic in Germany, followed by web browsing (26%) andstreaming (7%) [122]. With respect to P2P network traffic,BitTorrent accounted for 37%, web browsing for 15%, and



XSL•FORenderX



eDonkey for 13% of P2P internet traffic [122]. Given the highproportion of P2P traffic in most regions, it is not surprisingthat a number of internet service providers (ISPs) are usingadvanced filtering techniques to impose bandwidth limits andthrottle or block traffic associated with P2P systems, forinstance, by using port numbers, flow features, and deep packetinspections [46,100,121]. In 2012, the United Kingdom HighCourt ordered, for example, some ISPs (eg, O2, Virgin Media,and TalkTalk) to block BitTorrent P2P traffic owing to itspotential for copyright infringements [120].

Impact of P2P Traffic Blockade on P2P PHSsThe consequence of a P2P traffic blockade on any type of P2PPHS could be high because the effect could render the systemunavailable over the network, for instance, in a situation whereISPs realize a high proportion of internet traffic caused by P2Pnetworks and impose bandwidth limits or block the traffic. Ifany P2P PHS user is affected by the blockage, P2P PHSs, forinstance, for remote sharing of medical records or COVID-19exposure notifications will be disrupted. This can potentiallyaffect patient health and contribute to virus spread. As aworkaround, users can move to a different region that does notblock traffic because P2P systems are not bound by borders.The chances of being affected by a P2P traffic blockade whenusing a PHS is higher in regions that often use network trafficblockades as a public policy instrument (eg, in authoritarianregimes).

Discussion

Principal FindingsOur findings support the idea that P2P system security is aprocess rather than a product [33]. Moreover, securityencompasses not only technical issues but also human andmanagement problems. Therefore, it is highly relevant for thedevelopment and use of P2P PHSs to consider the security issuesin P2P networks and the techniques used to exploit them, thesecurity requirements to prevent attacks, peculiarities of attacks,and potential attacker profiles. Our findings are presented inTables 3 and 4. Security issues such as malware, socialengineering attacks, eclipse attacks, DDoS attacks, pollutionattacks, and P2P traffic blockades pose high threats (in case ofa successful attack) and have a high probability of beingexploited in P2P PHSs owing to the high number of factorscontributing to their chances of successful exploitation (Table3); moreover, they can put any P2P PHS out of service, whichcan potentially affect patients’ state of health. For illustrativepurposes, we discuss the factors and scores for malware andeclipse attacks in detail below (refer to the section IdentifiedSecurity Issues and Their Impact on P2P PHSs for a detaileddiscussion of the security issues).

The effect of any malware type depends on its propagation speedand power. Malware that compromised a PHS can beinadvertently spread by the patient (eg, when it is hidden in apatient’s health records). Other factors promoting security issues

in P2P networks (set-and-forget, no borders, digital windsspreading files, growing use, and network heterogeneity) andno content verification (Table 3) can fuel malware propagationin the network. If attackers compromise super nodes (eg,practitioners or hospital nodes), they can spread malware evenmore easily. A successful malware attack (eg, Antinny [85,86]or Code-Red [78]) on any P2P PHS can affect the CIA propertiesof the network and may cause a delay in treatment or even lossof life (eg, the case of a patient who died after a malware hit ahospital in Germany [130]). Malware can attack various networklayers (user, network, or transport layers) to mount DoS attacks,poison the network, block P2P traffic, or compromise users’identities or health data.

The severity of malware is low in centralized P2P PHSs (eg,the e-toile framework in Switzerland [21] or P2P PHR [6]; Table4) because the central index server can simply be used as atrusted computing base [25,26] or a point to deploy controlmeasures to mitigate the propagation of malware in the network.The severity of malware is medium in hybrid P2P PHSs (eg,P2HR [20]), our proposed P2P PHS architecture (Figure 3;Table 4), because there are no central attack profiles, and afederated data ecosystem multiplies the effort required formalware attacks by the number of federated subnetworks. Theseverity of malware is high in decentralized P2P PHSs (eg, P2PIHE [51]; Table 4) because of the lack of a trusted computingbase and high responsibility for individual users to maintainrouting information (DHT networks) and security measures[25,26]. Once the neighbor lists of users are infected bymalware, the malware can spread further (eg, using a PRSstrategy) through the nodes’ subnetworks, which contributes tothe malware's high propagation speed [78,82].

Factors such as use and network heterogeneity, no borders, andsnooping nodes promote the impact of eclipse attacks on P2Pnetworks (Table 3). In most cases, a successful eclipse attackallows an attacker to eavesdrop on the conversation betweenpeers in the network without potentially compromising thevictim's system. This impacts the reliability, autonomy,connectivity, and CIA properties of P2P networks [72,106,114].

The severity of eclipse attacks is low in centralized P2P PHS(eg, the e-toile framework in Switzerland [21]; Table 4) becauseof the difficulty for users to create multiple fake identities (asrequired to mount an eclipse attack [54,77,81]) and the likelypresence of trusted computing infrastructure in centralized P2PPHSs. Nevertheless, attacks on central index servers (or superpeers in hybrid P2P PHSs) are likely to be able to snoop networkcommunications. The severity of eclipse attacks is medium inhybrid and decentralized P2P PHSs (eg, P2P IHE [51]) or ourproposed P2P PHS architecture [Figure 3; Table 4]), as eclipseattacks require a high number of compromised nodes and areusually achieved through attacks on routing mechanisms[47,54,77,81]. Decentralized and hybrid P2P PHSs requirerouting mechanisms (eg, DHT) to facilitate health informationexchange and communication between patients and practitioners.



XSL•FORenderX



Table 3. Factors promoting the security issues.

Factors promoting the security issuesSecurity issues

Snoopingnodes

No contentverification

Use and networkheterogeneity

Digital windsSpreading Files

No bordersSet-and-forgetInadvertent sensitiveinformation disclosure

✓✓✓✓✓✓✓aMalware

✓✓✓✓✓✓Social engineering attack

✓✓✓✓✓Poisoning the network

✓✓✓Sybil attack

✓✓✓Eclipse attack

✓✓✓✓✓DDoS attack

✓✓✓✓✓✓✓Pollution

✓✓✓P2Pb traffic blockade

aFactor present.bP2P: peer-to-peer.

Table 4. Severity ratings for peer-to-peer patient-centered health care information system security.

Exemplary security measuresSeverity score on P2P PHSaSecurity issues

DecentralizedHybridCentralized

HighMediumLowMalware • Firewall• Antivirus and antispyware• Mobile agent–based intrusion detec-

tion system• Access policies

MediumMediumMediumSocial engineering attack • Education and awareness training

HighMediumLowPoisoning the network • Authentication protocol• Trust and reputation system• Access policies

MediumLowLowSybil attack • Authentication protocol• Trust and reputation system• End-to-end encryption

MediumMediumLowEclipse attack • Authentication protocol• Trust and reputation system• End-to-end encryption• Access policies

MediumMediumHighDDoSb attack • Firewall• Mobile agent–based intrusion detec-

tion system• Bandwidth limitation per node• Access policies

MediumMediumLowPollution • File and content verification• Trust and reputation system• End-to-end encryption• Removal of polluted content

LowMediumHighP2P traffic blockade • End-to-end encryption• Encryption of P2P traffic

aP2P PHS: peer-to-peer patient-centered health care information system.bDDoS: distributed denial-of-service.



XSL•FORenderX



Protecting P2P PHSs Against Security IssuesUnder normal circumstances, patient-physician relationshipsare based on trust, and P2P systems generally require trustbetween their participants [46]. However, uncertainties regardingthe protection of user data, single points of failure, and theintegrity of the super peers remain. Under our proposed PHSarchitecture (Figure 3), a trusted registration authority (eg, theGerman HTI or a hospital) is introduced to the network to handleadministrative tasks such as authentication and verification andcan also issue or revoke credentials to users based on theirbehavior [30]. End-to-end encryption [137] can be used tomaintain confidentiality in health care information systems [30]and to reduce the trust required for other network participants.For instance, the state-of-the-art cryptographic protocol Signalfor end-to-end encryption, which is used by popular instantmessaging apps [138], including WhatsApp, Wire, and FacebookMessenger, can be used. Security analyses of the Signal protocolshow that it can resist most known attacks [139]. Furthermore,transparency mechanisms can be used to make it easier to holda provider accountable for violating users’ trust [26], forexample, certificate transparency can be managed by a set ofservices and neutral auditors to keep track of X.509 certificatesof providers and quickly observe rogue or hacked certificateauthorities. Such security techniques reduce the impact of eclipseattacks, DDoS attacks, pollution attacks, poisoning attacks, andP2P traffic blockade on P2P networks [52,81]. For example, anintercepted message can be rendered useless for eclipse attackersby encrypting it.

A discussion of all possible security measures (see Table 4 forexamples) for each identified security issue is beyond the scopeof this study. In line with the identified security issues, we focuson trust and reputation models (TRM), identity authenticationschemes (IAS), and agent-based intrusion detection systems(IDSs). As an overarching guideline, we extended an extantguideline for secure provision of PHSs [2] (Figure 9) with 2additional steps (selection and modeling of security measures[step 3] and risk assessment [step 6]). The guideline is usefulfor supporting individual PHS providers to deal with thecomplexity of securing P2P PHSs.

An effective IAS addresses security issues such as Sybil attacks,poisoning attacks, pollution attacks, and MitM attacks[65,81,140] and is essential for health care information systems[2,30]. By authenticating users and resources shared, the originof pollution or poisoning attacks can be traced, and the attackerscan be held accountable. Individual PHS providers leveragingan effective IAS can strengthen security, which has the potentialto increase patients’ intention to use P2P PHSs. In Germany,the German HTI planned to provide user authentication throughsmart cards as a security measure for PHS providers [65,141].However, the introduction of national HTIs often leads to

ambiguous, expensive, and protracted projects [65,141]. Untilsuch solutions are widely available, developers of P2P PHSsshould consider the use of other IASs for the secure provisionof PHSs in public networks [65].

Reputation systems are used to determine the trustworthinessof nodes and to mitigate Sybil, poisoning, pollution, and MitMattacks [142]. Reputation management for resources beingshared and peers [143] reduces vulnerabilities such as ID stealthor pseudospoofing [144,145]. TRM techniques can be leveragedin P2P PHS in any situation where a party misbehaves (eg, bysupplying inappropriate data to a PHS). Patients can reportmisbehavior to reputation systems so that it can be reflected inthe reputation of the misbehaving party. Polluted resources canalso be reported and removed if their reputation is too low[72,73,75,81].

To address the issues of malicious peers, worms, and DDoSattacks in the network, an intelligent mobile agent–based IDScan be deployed in strategic locations (eg, at a hospital node inour proposed P2P PHS architecture, Figure 3; in the DHTnetwork in decentralized P2P PHSs such as P2P IHE [6,51]; orat central index servers of centralized PHSs such as the e-toilePHS [21]) to protect the corresponding subnetworks in P2Pnetworks. There are prototypes of scalable and decentralizedagent-based IDS that use 3 types of algorithms (heavy, medium,and light scan algorithms) to detect malicious activities as earlyas possible [87,146,147]. Backpropagation neural networktechniques can be used in IDS to reduce the response times andfalse alarm rates [148,149]. To improve detection latency andload balancing, a collaborative IDS uses publish and subscribetechniques to selectively route evidence of malicious activitiesbetween peers in the network using distributed lookupmechanisms [150,151]. Worms scan and infect certain ports ina network. A firewall can be used to monitor, filter, block, andblacklist them; antivirus and antispyware tools can be leveragedto remove or quarantine any suspicious file [81]. The DDoScan be mitigated by limiting the download bandwidth for eachnode. Other policies, such as restricting P2P access to verifieddirectories and scanning each file before opening, can mitigatethe impact of DDoS, malware, and poisoning attacks [97].

We added risk management (step 6) to the guideline for secureprovision of PHSs (Figure 9) to allow for prioritization ofsecurity issues with higher impact and for the efficient use ofavailable resources [152]. Risk assessment (step 6a) focuses onthe identification and assessment of security issues based onthe likelihood of occurrence and the severity of exploits. Thecost-benefit analysis involves an analysis of the costs associatedwith recovering from security breaches. In a situation wherethe costs for mitigation are higher than the potential impact ofa security issue, P2P PHS providers may choose to accept somelevel of risk.



XSL•FORenderX



Figure 9. Guidelines for provision of the patient-centered health care information system (PHS) while ensuring security.

LimitationsThis research focuses on security engineering for P2P PHSs.Legal issues with respect to health care security managementare beyond the scope of this study. A further limitation of thisstudy is that P2P PHS is an emerging phenomenon; therefore,our study does not provide real-world experiments or a reviewof past P2P PHS security incidents. Moreover, the bandwidth,computation, and storage cost analyses of the proposed P2Pinfrastructure, how usability and deployability will affect P2PPHS adoption, and how to handle patient registration withmultiple PHS providers are beyond the scope of this study.

ContributionsOur research provides a foundation for understanding P2Psystem architectures and their advantages and disadvantages.We propose and discuss a federated architecture (Figure 3)suitable for PHS deployment, which could be adopted by anyP2P PHS provider, such as insurance companies, hospitals, orother parties who want to implement P2P PHSs whilemaintaining security. On the basis of the 3 different archetypicalP2P system architectures, we elicited and reviewed the inherentsecurity issues and factors promoting the security issues (Table3). Moreover, we discuss the consequences of the security issuesand apply a severity scoring system (Table 4), signifying theimpact of each security issue for the 3 different architectures ofP2P PHSs—centralized, hybrid, and decentralized—based on



XSL•FORenderX



the CVSS definitions (Multimedia Appendix 2). Although acomprehensive discussion of security measures to address eachidentified security issue is beyond the scope of this study, weoffer an overview of potential security measures that are usefulfor maintaining security in P2P PHSs. We also extended aguideline for the secure provision of PHSs in public networks(Figure 9) for the P2P PHS context [2].

P2P PHSs (eg, COVID-19 contact tracing systems such asPEPP-PT [22] or OnePatient [15]) require research from manyperspectives to facilitate widespread use because they are anemerging phenomenon, pose major security issues (eg, byrequiring patients to manage information security largely bythemselves [65]), and are understudied. Extant research on PHSsecurity, privacy, and end-user features [2,28-31] focuses oncentralized and DLT-based PHS. Our research serves as anintroduction to P2P PHSs and potential security issues andcountermeasures. From an ethical perspective, our study is ofinterest to initiatives aimed at empowering patients to takeownership of and control access to their health data. P2P PHSspromote socially desirable design features such as openness,reduced dependence on platforms, abandonment of data silos,and secure patient-to-practitioner communication. Given thatthe security challenges are appropriately addressed, P2P PHSsare also promising for simplifying the implementation of dataprotection principles (eg, GDPR [8,34]). Secure P2P PHSs willnot only attract more stakeholders but will also be more efficientin achieving the goals of patient-centered digital ecosystems[153].

Future ResearchOpportunities for future research include improved designs ofsecurity models, such as IAS, TRM, and intelligent mobileagent–based IDS, to strengthen security. PHSs have other moresafety-related security requirements that should also beincorporated in their design, such as emergency access andguardian support. Such features are vital for P2P PHS tofacilitate access in situations where patients are incapacitated.However, they are also likely to invoke privacy concerns anddata protection challenges, as they require access to sensitiveinformation without consulting patients. By using reliable andpatient-centered backup options, P2P PHS providers canintegrate identity authentication management in backup serversto facilitate the replacement of patient credentials in a situationwhere they lose access to their credentials (eg, a stolen laptop).In addition to the development of approaches to improveeducation and awareness of patients regarding informationsecurity challenges inherent to the sharing of data with thirdparties [8], a questionnaire-based study focusing on other P2P

PHS stakeholders and asking about their security and privacyconcerns with respect to P2P PHSs could yield valuablecontributions. A guideline for the evaluation of P2P PHSs basedon information security standards (eg, ISO 27799:2016) couldalso be very useful.

ConclusionsThe idea of P2P PHSs to break up barriers among patients,health care systems, physicians, and other stakeholders isappealing. From the patients’ perspective, being empowered toconveniently take ownership of and control access to their healthdata through PHS might bring forth a digital ecosystem thatmakes patients a more active contributor in their own care andcan streamline health care activities such as receiving andaccurately interpreting laboratory test results. In the UnitedStates, HIPAA [6] specifies that patients have the liberty “tosee and get copies of their records, and request amendments”;however, the act does not go into detail on appropriateapproaches to give access [3,30,154]. Currently, PHSs use DLT,P2P technology, or centralized databases for deployment. Tomitigate the impact of security issues in centralized databasesand the lack of fit of DLT with PHS use cases, P2P PHSsemerged (eg, OnePatient [15], doc.ai brands [7], or COVID-19proximity tracing systems such as Stoop [24]), which storehealth records locally (on any patient edge device such as amobile phone, a tablet computer, a desktop computer, etc) underthe control of individual device owners.

The benefits of P2P networks for PHSs include more optionsfor privacy self-management, autonomous control ofinfrastructure, and high availability. However, these advantagesare associated with complications, as patients must also manageinformation security largely by themselves. Gartner claims thatcosts for remediating security issues would be reduced by 75%if only 50% of system vulnerabilities were detected andremediated before production [155]. Building a successful P2Psystem that does not result in privacy or security violations forusers is difficult [26] and entails a collective effort that fixesthe remaining problems (eg, absence of a centralized entity todetect malicious attacks and increased chances of exposingnetwork traffic patterns) with clear considerations of networksecurity and ease of use.

The enormous value of health data requires the provision ofsecurity measures to protect PHSs from cyberattacks.Overcoming security and privacy barriers in P2P PHS is alsoimportant for increasing patients’ intention to use PHSs. PHSproviders and developers should neither ignore the inherent orpast security issues of P2P systems nor be careless about futureones.

AcknowledgmentsThis work was supported by funding from the topic Engineering Secure Systems of the Helmholtz Association (HGF) and byKASTEL Security Research Labs.

Conflicts of InterestJG is a chief executive officer at Refinio GmbH, a company that provides peer-to-peer patient-centered health care informationsystems (eg, OnePatient). IAY was involved in weekly discussions with software developers working on OnePatient patient-centeredhealth care information system about peer-to-peer patient-centered health care information systems innovations, motivations,



XSL•FORenderX



contributions, and foundational architectures for this research. BE reports grants from adidas AG, outside the submitted work.In addition, BE has a patent related to gait assessment pending and reports ownership of Portabiles GmbH and Portabiles HealthCareTechnologies GmbH.

Multimedia Appendix 1List of individual journals and conferences.[DOCX File , 27 KB-Multimedia Appendix 1]

Multimedia Appendix 2Definition of Consequence of Exploitation. The rate estimation was guided by the Common Vulnerability Scoring System whichprovides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.[DOCX File , 22 KB-Multimedia Appendix 2]

References

1. Healthcare of the Future: the digital revolution of the healthcare sector - ecosystem, use cases, benefits, challenges andrecommendations for action. Porsche-Consulting. 2018. URL: https://www.porsche-consulting.com/fileadmin/docs/Startseite/News/tt1162/Porsche_Consulting_Studie_Healthcare_of_the_Future_EN.pdf [accessed 2019-09-12]

2. Dehling T, Sunyaev A. Secure provision of patient-centered health information technology services in publicnetworks—leveraging security and privacy features provided by the German nationwide health information technologyinfrastructure. Electron Markets 2014 Feb 8;24(2):89-99 [FREE Full text] [doi: 10.1007/s12525-013-0150-6]

3. Sunyaev A, Chornyi D, Mauro C, Krcmar H. Evaluation framework for personal health records: Microsoft Healthvault vs.Google Health. In: Proceedings of the 43rd Hawaii International Conference on System Sciences. 2010 Presented at: 43rdHawaii International Conference on System Sciences; Jan. 5-8, 2010; Honolulu, HI, USA p. 1-10. [doi:10.1109/hicss.2010.192]

4. Krist AH, Woolf SH. A vision for patient-centered health information systems. J Am Med Assoc 2011 Jan 19;305(3):300-301[FREE Full text] [doi: 10.1001/jama.2010.2011] [Medline: 21245186]

5. Dehling T, Sunyaev A. Architecture and design of a patient-friendly eHealth web application: patient information leafletsand supplementary services. In: Proceedings of the 18th Americas Conference on Information Systems (AMCIS 2012).2012 Presented at: 18th Americas Conference on Information Systems (AMCIS 2012); August 9-11, 2012; Seattle,Washington URL: https://ssrn.com/abstract=2152925

6. Horne WC, Miled ZB. Making the case for a P2P personal health record. Information 2020 Oct 31;11(11):512. [doi:10.3390/info11110512]

7. Doc.AI brands: Passport, Serenity, Doc.ai, and Genewall. Doc.ai. 2020. URL: https://doc.ai/ [accessed 2019-10-01]8. Hager A, Lindblad S, Brommels M, Salomonsson S, Wannheden C. Sharing patient-controlled real-world data through the

application of the theory of commons: action research case study. J Med Internet Res 2021 Jan 19;23(1):e16842 [FREEFull text] [doi: 10.2196/16842] [Medline: 33464212]

9. Sinthanayothin C, Bholsithi W, Wongwaen N, Xuto P. ZBaby: Android application for pregnancy due date, fetus developmentsimulation and weight gain during pregnancy. In: Proceedings of the International Computer Science and EngineeringConference (ICSEC). 2014 Presented at: International Computer Science and Engineering Conference (ICSEC); July 30 -Aug. 1, 2014; Khon Kaen, Thailand. [doi: 10.1109/icsec.2014.6978130]

10. Spitzer J. 63% of Americans don't know where their medical data is stored: 8 survey insights. Becker's Healthcare. 2018.URL: https://www.beckershospitalreview.com/ehrs/63-of-americans-don-t-know-where-their-medical-data-is-stored-8-survey-insights.html [accessed 2018-10-21]

11. MedicalChain Whitepaper version 2.1. MedicalChain. 2018. URL: https://medicalchain.com/Medicalchain-Whitepaper-EN.pdf [accessed 2018-12-05]

12. HealthBank. 2019. URL: https://www.healthbank.coop/ [accessed 2019-01-06]13. Zhou L, DeAlmeida D, Parmanto B. Applying a user-centered approach to building a mobile personal health record app:

development and usability study. JMIR Mhealth Uhealth 2019 Jul 05;7(7):e13194 [FREE Full text] [doi: 10.2196/13194][Medline: 31278732]

14. Aligning stakeholders in a new healthcare ecosystem. MintHealth. 2018. URL: https://www.minthealth.io/wp-content/uploads/2018/04/MH_WHITEPAPER_04.18.pdf [accessed 2019-03-05]

15. OnePatient. RefinioONE. 2019. URL: https://refinio.net/software.html [accessed 2018-10-10]16. Kleinke JD. Dot-gov: market failure and the creation of a national health information technology system. Health Aff

(Millwood) 2005;24(5):1246-1262. [doi: 10.1377/hlthaff.24.5.1246] [Medline: 16162569]17. Azaria A, Ekblaw A, Vieira T, Lippman A. Medrec: using blockchain for medical data access and permission management.

In: Proceedings of the 2nd International Conference on Open and Big Data (OBD). 2016 Presented at: 2nd InternationalConference on Open and Big Data (OBD); Aug. 22-24, 2016; Vienna, Austria p. 25-30. [doi: 10.1109/obd.2016.11]



XSL•FORenderX

https://jmir.org/api/download?alt_name=jmir_v23i11e24460_app1.docx&filename=0b195ecc0fdeac8694f9d992da0b6792.docx

https://jmir.org/api/download?alt_name=jmir_v23i11e24460_app1.docx&filename=0b195ecc0fdeac8694f9d992da0b6792.docx

https://jmir.org/api/download?alt_name=jmir_v23i11e24460_app2.docx&filename=d80ceb0e12d5bfa042b72b1352848773.docx

https://jmir.org/api/download?alt_name=jmir_v23i11e24460_app2.docx&filename=d80ceb0e12d5bfa042b72b1352848773.docx

https://www.porsche-consulting.com/fileadmin/docs/Startseite/News/tt1162/Porsche_Consulting_Studie_Healthcare_of_the_Future_EN.pdf

https://www.porsche-consulting.com/fileadmin/docs/Startseite/News/tt1162/Porsche_Consulting_Studie_Healthcare_of_the_Future_EN.pdf

https://link.springer.com/article/10.1007/s12525-013-0150-6

http://dx.doi.org/10.1007/s12525-013-0150-6

http://dx.doi.org/10.1109/hicss.2010.192

http://europepmc.org/abstract/MED/21245186

http://dx.doi.org/10.1001/jama.2010.2011

http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&list_uids=21245186&dopt=Abstract

https://ssrn.com/abstract=2152925

http://dx.doi.org/10.3390/info11110512

https://doc.ai/

https://www.jmir.org/2021/1/e16842/


http://dx.doi.org/10.2196/16842


http://dx.doi.org/10.1109/icsec.2014.6978130

https://www.beckershospitalreview.com/ehrs/63-of-americans-don-t-know-where-their-medical-data-is-stored-8-survey-insights.html

https://www.beckershospitalreview.com/ehrs/63-of-americans-don-t-know-where-their-medical-data-is-stored-8-survey-insights.html

https://medicalchain.com/Medicalchain-Whitepaper-EN.pdf

https://medicalchain.com/Medicalchain-Whitepaper-EN.pdf

https://www.healthbank.coop/

https://mhealth.jmir.org/2019/7/e13194/

http://dx.doi.org/10.2196/13194


https://www.minthealth.io/wp-content/uploads/2018/04/MH_WHITEPAPER_04.18.pdf

https://www.minthealth.io/wp-content/uploads/2018/04/MH_WHITEPAPER_04.18.pdf

https://refinio.net/software.html

http://dx.doi.org/10.1377/hlthaff.24.5.1246


http://dx.doi.org/10.1109/obd.2016.11



18. Beinke JH, Fitte C, Teuteberg F. Towards a stakeholder-oriented blockchain-based architecture for electronic health records:design science research study. J Med Internet Res 2019 Oct 07;21(10):e13585 [FREE Full text] [doi: 10.2196/13585][Medline: 31593548]

19. Wright CS. Bitcoin: a peer-to-peer electronic cash system. SSRN J 2020:9986. [doi: 10.2139/ssrn.3440802]20. King Z. P2HR, a personalized condition-driven person health record. Master thesis submitted to the Faculty of Purdue

University, Indianapolis, Indiana. 2017. URL: https://scholarworks.iupui.edu/handle/1805/13604 [accessed 2019-10-01]21. Geissbuhler A, Spahni S, Assimacopoulos A, Raetzo M, Gobet G. Design of a patient-centered, multi-institutional healthcare

information network using peer-to-peer communication in a highly distributed architecture. Stud Health Technol Inform2004;107(Pt 2):1048-1052. [Medline: 15360972]

22. Troncoso C, Payer M, Hubaux J, Salathé M, Larus J, Bugnion E, et al. Decentralized privacy-preserving proximity tracing- GitHub DP-3T Documents. GitHub. 2020. URL: https://github.com/DP-3T/documents [accessed 2020-07-01]

23. Cho H, Ippolito D, Yu YW. Contact tracing mobile apps for COVID-19: privacy considerations and related trade-offs.arXiv. 2020. URL: https://arxiv.org/abs/2003.11511 [accessed 2020-04-01]

24. Ulrich B, Bernauer A, Blocher M, Gollatz B, Judmayer A, Koppmann M, et al. Technical and legal review of the stoppcorona app by the Austrian Red Cross. NOYB – European Center for Digital Rights. 2020. URL: https://noyb.eu/sites/default/files/2020-04/report_stopp_corona_app_english_v1.0_0.pdf [accessed 2020-05-01]

25. Rushby J. Design and verification of secure systems. SIGOPS Oper Syst Rev 1981 Dec;15(5):12-21. [doi:10.1145/1067627.806586]

26. Troncoso C, Isaakidis M, Danezis G, Halpin H. Systematizing decentralization and privacy: lessons from 15 years ofresearch and deployments. Proc Privacy Enhanc Technol 2017;4:404-426 [FREE Full text] [doi: 10.1515/popets-2017-0056]

27. Solid project by Tim Berners-Lee. Solid Project. 2020. URL: https://solidproject.org/ [accessed 2020-02-01]28. Kaletsch A, Sunyaev A. Privacy engineering: personal health records in cloud computing environments. In: Proceedings

of the International Conference on Information Systems, ICIS 2011. 2011 Presented at: International Conference onInformation Systems, ICIS 2011; December 4-7, 2011; Shanghai, China, URL: https://www.researchgate.net/publication/221600139_Privacy_Engineering_Personal_Health_Records_in_Cloud_Computing_Environments

29. Dubovitskaya A, Xu Z, Ryu S, Schumacher M, Wang F. Secure and trustable electronic medical records sharing usingblockchain. AMIA Annu Symp Proc 2017;2017:650-659 [FREE Full text] [Medline: 29854130]

30. Fernández-Alemán JL, Señor IC, Lozoya PA, Toval A. Security and privacy in electronic health records: a systematicliterature review. J Biomed Inform 2013 Jun;46(3):541-562 [FREE Full text] [doi: 10.1016/j.jbi.2012.12.003] [Medline:23305810]

31. Müthing J, Brüngel R, Friedrich CM. Server-focused security assessment of mobile health apps for popular mobile platforms.J Med Internet Res 2019 Jan 23;21(1):e9818 [FREE Full text] [doi: 10.2196/jmir.9818] [Medline: 30672738]

32. Farn K, Hwang J, Lin S. Study on applying ISO/DIS 27799 to healthcare industry's ISMS. WSEAS Transactions on Biologyand Biomedicine. 2007. URL: https://wseas.org/wseas/cms.action?id=4011 [accessed 2020-09-01]

33. Schneier B. In: Phil S, editor. Applied Cryptography: Protocols, Algorithms, Source Code in C. New York, United States:John Wiley & Sons; 2007.

34. Nurgalieva L, O'Callaghan D, Doherty G. Security and privacy of mhealth applications: a scoping review. IEEE Access2020;8:104247-104268. [doi: 10.1109/access.2020.2999934]

35. Vu QH, Lupu M, Ooi BC. Architecture of peer-to-peer systems. In: Peer-to-Peer Computing. Berlin: Springer; 2010:11-37.36. Vakili G, Khorsandi S. Engineering a peer to peer architecture: a complex adaptive system approach. In: Proceedings of

the IEEE International Systems Conference. 2010 Presented at: IEEE International Systems Conference; April 5-8, 2010;San Diego, CA, USA p. 520-523. [doi: 10.1109/systems.2010.5482487]

37. Records, computers, and the rights of citizens: Report of the US Dept Welfare Secretary's Advisory Committee on AutomatedPersonal Data Systems. US Department of Health, Education and Welfare. 1973. URL: https://www.justice.gov/opcl/docs/rec-com-rights.pdf [accessed 2020-05-05]

38. Gassmann H. OECD guidelines governing the protection of privacy and transborder flows of personal data. ComputNetworks (1976) 1981 Apr;5(2):127-141 [FREE Full text] [doi: 10.1016/0376-5075(81)90068-4]

39. Notifiable Data Breaches Report: July–December 2019. The Office of the Australian Information Commissioner (OAIC).2020. URL: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/ [accessed 2020-07-01]

40. Protenus 2019 Breach Barometer: 15m+ patient records breached in 2018 as hacking incidents continue to climb. Protenus,Inc. in Collaboration with DataBreaches.net. 2019. URL: https://email.protenus.com/hubfs/Breach_Barometer/2018/2019%20Breach%20Barometer%20Annual%20Report.pdf [accessed 2020-04-01]

41. Burton C, De Boel L, Kuner C. The final European Union general data protection regulation. Wilson Sonsini. 2016. URL:https://www.wsgr.com/en/insights/the-final-european-union-general-data-protection-regulation.html [accessed 2020-06-02]

42. Kelly G, McKenzie B. Security, privacy, and confidentiality issues on the internet. J Med Internet Res 2002;4(2):E12. [doi:10.2196/jmir.4.2.e12] [Medline: 12554559]



XSL•FORenderX


http://dx.doi.org/10.2196/13585


http://dx.doi.org/10.2139/ssrn.3440802

https://scholarworks.iupui.edu/handle/1805/13604


https://github.com/DP-3T/documents

https://arxiv.org/abs/2003.11511

https://noyb.eu/sites/default/files/2020-04/report_stopp_corona_app_english_v1.0_0.pdf

https://noyb.eu/sites/default/files/2020-04/report_stopp_corona_app_english_v1.0_0.pdf

http://dx.doi.org/10.1145/1067627.806586

https://www.sciendo.com/article/10.1515/popets-2017-0056

http://dx.doi.org/10.1515/popets-2017-0056

https://solidproject.org/

https://www.researchgate.net/publication/221600139_Privacy_Engineering_Personal_Health_Records_in_Cloud_Computing_Environments

https://www.researchgate.net/publication/221600139_Privacy_Engineering_Personal_Health_Records_in_Cloud_Computing_Environments

http://europepmc.org/abstract/MED/29854130


http://linkinghub.elsevier.com/retrieve/pii/S1532-0464(12)00186-4

http://dx.doi.org/10.1016/j.jbi.2012.12.003



http://dx.doi.org/10.2196/jmir.9818


https://wseas.org/wseas/cms.action?id=4011

http://dx.doi.org/10.1109/access.2020.2999934

http://dx.doi.org/10.1109/systems.2010.5482487

https://www.justice.gov/opcl/docs/rec-com-rights.pdf

https://www.justice.gov/opcl/docs/rec-com-rights.pdf

https://www.sciencedirect.com/science/article/abs/pii/0376507581900684

http://dx.doi.org/10.1016/0376-5075(81)90068-4

https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/

https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/

https://email.protenus.com/hubfs/Breach_Barometer/2018/2019%20Breach%20Barometer%20Annual%20Report.pdf

https://email.protenus.com/hubfs/Breach_Barometer/2018/2019%20Breach%20Barometer%20Annual%20Report.pdf

https://www.wsgr.com/en/insights/the-final-european-union-general-data-protection-regulation.html

http://dx.doi.org/10.2196/jmir.4.2.e12




43. Naoumov N, Ross K. Exploiting P2P systems for DDoS attacks. In: Proceedings of the 1st international conference onScalable information systems. 2006 Presented at: InfoScale '06: 1st International Conference on Scalable InformationSystems; May 30-June 1, 2006; Hong Kong, China p. 47. [doi: 10.1145/1146847.1146894]

44. Jan MA, Nanda P, He X, Liu RP. A Sybil attack detection scheme for a forest wildfire monitoring application. FutureGeneration Comput. Syst 2018 Mar;80:613-626 [FREE Full text] [doi: 10.1016/j.future.2016.05.034]

45. Nwebonyi FN, Martins R, Correia ME. Reputation based approach for improved fairness and robustness in P2P protocols.Peer-to-Peer Netw Appl 2018 Dec 6;12(4):951-968 [FREE Full text] [doi: 10.1007/s12083-018-0701-x]

46. Wallach DS. A survey of peer-to-peer security issues. In: Proceedings of the International Symposium on Software Security.2003 Presented at: International Symposium on Software Security; November 4-6, 2003; Tokyo, Japan p. 42-57. [doi:10.1007/3-540-36532-x_4]

47. Ismail H. Analyzing and mitigating security threats in P2P systems. Darmstadt, Technische Universität, [Ph.D. Thesis].2018. URL: https://tuprints.ulb.tu-darmstadt.de/7812/ [accessed 2019-10-04]

48. Steve C. Host software - RFC-1. Datacracker - IETF. 1969. URL: https://tools.ietf.org/html/rfc1 [accessed 2019-06-02]49. Doyle JF. Peer-to-peer: harnessing the power of disruptive technologies. Ubiquity 2001 May;2001(May):2. [doi:

10.1145/375348.377427]50. Shen X, Yu H, Buford J, Akon M. Handbook of Peer-to-Peer Networking. Boston, MA: Springer; 2010:1-1500.51. Urovi V, Olivieri AC, Bromuri S, Fornara N, Schumacher MI. A peer to peer agent coordination framework for IHE based

cross-community health record exchange. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing.2013 Presented at: SAC '13: 28th Annual ACM Symposium on Applied Computing; March 18 - 22, 2013; Coimbra Portugalp. 1355-1362. [doi: 10.1145/2480362.2480617]

52. Palomar E, Estevez-Tapiado J, Hernandez-Castro J, Ribagorda A. Security in P2P networks: survey and research directions.In: Emerging Directions in Embedded and Ubiquitous Computing. Berlin: Springer; 2006:183-192.

53. Kurose JF. Computer Networking: A Top-Down Approach (6th Edition). London, U.K: Pearson; 2012:1-864.54. López-Fuentes FD, Eugui-De-Alba I, Ortíz-Ruiz OM. Evaluating P2P networks against eclipse attacks. Procedia Technol

2012;3:61-68. [doi: 10.1016/j.protcy.2012.03.007]55. Balakrishnan H, Kaashoek MF, Karger D, Morris R, Stoica I. Looking up data in P2P systems. Commun ACM 2003

Feb;46(2):43-48. [doi: 10.1145/606272.606299]56. De S, Barik MS, Banerjee I. Goal based threat modeling for peer-to-peer cloud. Procedia Comput Sci 2016;89:64-72. [doi:

10.1016/j.procs.2016.06.010]57. Feldotto M, Scheideler C, Graffi K. A self-stabilizing overlay network for nodes with heterogeneous bandwidths. In:

Proceedings of the 14th IEEE International Conference on Peer-to-Peer Computing. 2014 Presented at: 14th IEEE InternationalConference on Peer-to-Peer Computing; Sept. 8-12, 2014; London, UK p. 1-10. [doi: 10.1109/p2p.2014.6934300]

58. Sanchez-Artigas M, Garcia-Lopez P. On routing in distributed hash tables: is reputation a shelter from malicious behaviorand churn? In: Proceedings of the IEEE Ninth International Conference on Peer-to-Peer Computing. 2009 Presented at:IEEE Ninth International Conference on Peer-to-Peer Computing; Sept. 9-11, 2009; Seattle, WA, USA p. 31-40. [doi:10.1109/p2p.2009.5284546]

59. Wang Q, Mittal P, Borisov N. In search of an anonymous and secure lookup: attacks on structured peer-to-peer anonymouscommunication systems. In: Proceedings of the 17th ACM Conference on Computer and Communications Security. 2010Presented at: CCS '10: 17th ACM Conference on Computer and Communications Security 2010; Oct 4-8, 2010; ChicagoIllinois USA p. 308-318. [doi: 10.1145/1866307.1866343]

60. Omicini A, Denti E. From tuple spaces to tuple centres. Sci Comput Program 2001 Nov;41(3):277-294. [doi:10.1016/s0167-6423(01)00011-9]

61. Chen G, Hu T, Jiang D, Lu P, Tan K, Vo HT, et al. Bestpeer++: a peer-to-peer based large-scale data processing platform.IEEE Trans Knowl Data Eng 2014 Jun;26(6):1316-1331. [doi: 10.1109/tkde.2012.236]

62. Decker C, Eidenbenz R, Wattenhofer R. Exploring and improving BitTorrent topologies. In: Proceedings of the IEEE P2P2013 Conference. 2013 Presented at: IEEE P2P 2013 Conference; Sept. 9-11, 2013; Trento, Italy. [doi:10.1109/P2P.2013.6688698]

63. de Leon DC, Stalick AQ, Jillepalli AA, Haney MA, Sheldon FT. Blockchain: properties and misconceptions. Asia PcfcJrnl Innvtn & Entrprnshp 2017 Dec 04;11(3):286-300. [doi: 10.1108/apjie-12-2017-034]

64. Donnelly N. The PACE system: a P2P architecture for cloud based EHealth systems 2015. Master of Science thesis, DublinCity University. 2015. URL: http://doras.dcu.ie/20781/ [accessed 2020-02-04]

65. Abdullahi I, Dehling T, Kluge F, Eskofier B, Sunyaev A. Online at will: a novel protocol for mutual authentication inpeer-to-peer networks for patient-centered health care information systems. In: Proceedings of the 54th Hawaii InternationalConference on System Sciences (HICSS 2021). 2021 Presented at: 54th Hawaii International Conference on System Sciences(HICSS 2021); Jan 05, 2021; Kauai, Hawaii, USA p. 3828. [doi: 10.24251/hicss.2021.463]

66. Yang B, Garcia-Molina H. Improving search in peer-to-peer networks. In: Proceedings 22nd International Conference onDistributed Computing Systems. 2002 Jul Presented at: 22nd International Conference on Distributed Computing Systems;July 2-5, 2002; Vienna, Austria p. 5-14 URL: https://ieeexplore.ieee.org/document/1022237 [doi:10.1109/ICDCS.2002.1022237]



XSL•FORenderX

http://dx.doi.org/10.1145/1146847.1146894

https://www.sciencedirect.com/science/article/pii/S0167739X16301522

http://dx.doi.org/10.1016/j.future.2016.05.034

https://doi.org/10.1007/s12083-018-0701-x

http://dx.doi.org/10.1007/s12083-018-0701-x

http://dx.doi.org/10.1007/3-540-36532-x_4

https://tuprints.ulb.tu-darmstadt.de/7812/

https://tools.ietf.org/html/rfc1

http://dx.doi.org/10.1145/375348.377427

http://dx.doi.org/10.1145/2480362.2480617

http://dx.doi.org/10.1016/j.protcy.2012.03.007

http://dx.doi.org/10.1145/606272.606299

http://dx.doi.org/10.1016/j.procs.2016.06.010

http://dx.doi.org/10.1109/p2p.2014.6934300

http://dx.doi.org/10.1109/p2p.2009.5284546

http://dx.doi.org/10.1145/1866307.1866343

http://dx.doi.org/10.1016/s0167-6423(01)00011-9

http://dx.doi.org/10.1109/tkde.2012.236

http://dx.doi.org/10.1109/P2P.2013.6688698

http://dx.doi.org/10.1108/apjie-12-2017-034

http://doras.dcu.ie/20781/


https://ieeexplore.ieee.org/document/1022237

http://dx.doi.org/10.1109/ICDCS.2002.1022237



67. Moher D, Liberati A, Tetzlaff J, Altman DG. Preferred reporting items for systematic reviews and meta-analyses: thePRISMA statement. Int J Surg 2010;8(5):336-341 [FREE Full text] [doi: 10.1016/j.ijsu.2010.02.007] [Medline: 20171303]

68. Kitchenham B, Charters S. Guidelines for performing systematic literature reviews in software engineering. EBSE TechnicalReport, Keele University and University of Durham. 2007. URL: https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf [accessed 2019-10-04]

69. Friese S. Qualitative Data Analysis with ATLAS. Thousand Oaks, CA: SAGE Publications Ltd; 2019:1-344.70. Braun V, Clarke V. Using thematic analysis in psychology. Qualitative Research in Psychology 2006 Jan;3(2):77-101.

[doi: 10.1191/1478088706qp063oa]71. Lu M, Lee P, Lui J. Identity attack and anonymity protection for P2P-VoD systems. In: Proceedings of the Nineteenth IEEE

International Workshop on Quality of Service. 2011 Presented at: Nineteenth IEEE International Workshop on Quality ofService; June 6-7, 2011; San Jose, CA, USA. [doi: 10.1109/iwqos.2011.5931313]

72. Gheorghe G, Lo Cigno R, Montresor A. Security and privacy issues in P2P streaming systems: a survey. Peer-to-Peer NetwAppl 2010 Apr 23;4(2):75-91 [FREE Full text] [doi: 10.1007/s12083-010-0070-6]

73. Wang JH, Wang C, Yang J, An C. A study on key strategies in P2P file sharing systems and ISPs’ P2P traffic management.Peer-to-Peer Netw Appl 2011 Jan 7;4(4):410-419 [FREE Full text] [doi: 10.1007/s12083-010-0098-7]

74. Zhang P, Helvik BE. Towards green P2P: understanding the energy consumption in P2P under content pollution. In:Proceedings of the IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber,Physical and Social Computing. 2010 Presented at: IEEE/ACM Int'l Conference on Green Computing and Communications& Int'l Conference on Cyber, Physical and Social Computing; Dec. 18-20, 2010; Hangzhou, China. [doi:10.1109/greencom-cpscom.2010.45]

75. de Almeida RB, Natif JA, da Silva AP, Vieira AM. Pollution and whitewashing attacks in a P2P live streaming system:analysis and counter-attack. In: Proceedings of the IEEE International Conference on Communications (ICC). 2013 Presentedat: IEEE International Conference on Communications (ICC); June 9-13, 2013; Budapest, Hungary. [doi:10.1109/icc.2013.6654819]

76. Tang H, Yang Z, Chen L. Analysis on security issues for mobile P2P networks. In: Proceedings of the 8th InternationalConference on Wireless Communications, Networking and Mobile Computing. 2012 Presented at: 8th InternationalConference on Wireless Communications, Networking and Mobile Computing; Sept. 21-23, 2012; Shanghai, China. [doi:10.1109/WICOM.2012.6478429]

77. Yue X, Qiu X, Ji Y, Zhang C. P2P attack taxonomy and relationship analysis. In: Proceedings of the 11th InternationalConference on Advanced Communication Technology. 2009 Presented at: 11th International Conference on AdvancedCommunication Technology; Feb. 15-18, 2009; Gangwon, Korea (South) URL: https://ieeexplore.ieee.org/document/4809630?arnumber=4809630

78. Yu W, Chellappan S, Wang X, Xuan D. Peer-to-peer system-based active worm attacks: modeling, analysis and defense.Comput Commun 2008 Nov;31(17):4005-4017. [doi: 10.1016/j.comcom.2008.08.008]

79. Seedorf J. Security issues for P2P-based voice-and video-streaming applications. In: Camenisch J, Kesdogan D, editors.iNetSec 2009 - Open Research Problems in Network Security. IFIP Advances in Information and Communication Technology.Berlin: Springer; 2009:95-110.

80. Washbourne L. A survey of P2P network security. arXiv. 2015. URL: https://arxiv.org/abs/1504.01358 [accessed 2019-10-05]81. Yang Y, Yang L. A survey of peer-to-peer attacks and counter attacks. The Steering Committee of The World Congress

in Computer Science, Computer Engineering and Applied Computing (WorldComp). 2012. URL: http://worldcomp-proceedings.com/proc/p2012/SAM9754.pdf [accessed 2018-10-04]

82. Chunyan X, Zhiyu Y. The research of worms in P2P networks. In: Proceedings of the International Conference onComputational Intelligence and Natural Computing. 2009 Presented at: International Conference on ComputationalIntelligence and Natural Computing; June 6-7, 2009; Wuhan, China. [doi: 10.1109/cinc.2009.248]

83. Sokolova M, El Emam K, Arbuckle L, Neri E, Rose S, Jonker E. P2P watch: personal health information detection inpeer-to-peer file-sharing networks. J Med Internet Res 2012 Jul 09;14(4):e95 [FREE Full text] [doi: 10.2196/jmir.1898][Medline: 22776692]

84. Abdelouahab M, Bouabdallah A, Achemlal M, Laniepce S. The Topology change attack: threat and impact. J UniversalComput Sci 2009;15(2):465-487 [FREE Full text]

85. Johnson ME, McGuire D, Willey ND. The evolution of the peer-to-peer file sharing industrythe security risks for users.In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008). 2008 Presentedat: 41st Annual Hawaii International Conference on System Sciences (HICSS 2008); Jan. 7-10, 2008; Waikoloa, HI, USAp. 7-10. [doi: 10.1109/hicss.2008.436]

86. Kang M. Responsive Security: Be Ready to be Secure. Boca Raton: CRC Press; 2014:1-259.87. Zhang Y, Li Z, Hu Z, Tu H, Lin H. A P2P e-commerce related network security issue: P2P worm. In: Proceedings of the

International Symposium on Electronic Commerce and Security. 2008 Presented at: International Symposium on ElectronicCommerce and Security; Aug. 3-5, 2008; Guangzhou, China. [doi: 10.1109/isecs.2008.187]

88. Barse Y, Tidke S. A study on BOTNET attacks and detection techniques. IOSR J Electri Electron Eng (IOSR-JEEE)2020;15(3):1-5 [FREE Full text] [doi: 10.9790/1676-1503020105]



XSL•FORenderX

http://linkinghub.elsevier.com/retrieve/pii/S1743-9191(10)00040-3

http://dx.doi.org/10.1016/j.ijsu.2010.02.007


https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf

https://www.elsevier.com/__data/promis_misc/525444systematicreviewsguide.pdf

http://dx.doi.org/10.1191/1478088706qp063oa

http://dx.doi.org/10.1109/iwqos.2011.5931313


http://dx.doi.org/10.1007/s12083-010-0070-6


http://dx.doi.org/10.1007/s12083-010-0098-7

http://dx.doi.org/10.1109/greencom-cpscom.2010.45

http://dx.doi.org/10.1109/icc.2013.6654819

http://dx.doi.org/10.1109/WICOM.2012.6478429

https://ieeexplore.ieee.org/document/4809630?arnumber=4809630

https://ieeexplore.ieee.org/document/4809630?arnumber=4809630

http://dx.doi.org/10.1016/j.comcom.2008.08.008

https://arxiv.org/abs/1504.01358

http://worldcomp-proceedings.com/proc/p2012/SAM9754.pdf

http://worldcomp-proceedings.com/proc/p2012/SAM9754.pdf

http://dx.doi.org/10.1109/cinc.2009.248




https://www.researchgate.net/publication/220348953_The_Topology_Change_Attack_Threat_and_Impact


http://dx.doi.org/10.1109/isecs.2008.187

https://www.iosrjournals.org/iosr-jeee/Papers/Vol15-Issue3/Series-2/A1503020105.pdf

http://dx.doi.org/10.9790/1676-1503020105



89. Wang P, Wu L, Aslam B, Zou CC. Analysis of peer-to-peer botnet attacks and defenses. In: Król D, Fay D, Gabryś B,editors. Propagation Phenomena in Real World Networks. Intelligent Systems Reference Library. Cham: Springer; 2015.

90. Jang-Jaccard J, Nepal S. A survey of emerging threats in cybersecurity. J Comput Syst Sci 2014 Aug;80(5):973-993 [FREEFull text] [doi: 10.1016/j.jcss.2014.02.005]

91. Milpitas C. SonicWALL sees dramatic jump in IoT malware, encrypted threats, web app attacks through third quarter.SonicWALL. 2019. URL: https://www.sonicwall.com/news/dramatic-jump-in-iot-malware-encrypted-threats-web-app-attacks-third-quarter/ [accessed 2020-06-04]

92. Engle M, Khan J. Vulnerabilities of P2P systems and a critical look at their solutions. Technical Report, Kent State University.2006. URL: https://www.semanticscholar.org/paper/Vulnerabilities-of-P2P-Systems-and-a-Critical-Look-Engle-Khan/4f86c19fd5b8147cbc5da222903a8c48e79cf7f8 [accessed 2018-10-01]

93. Ali MS, Vecchio M, Putra GD, Kanhere SS, Antonelli F. A decentralized peer-to-peer remote health monitoring system.Sensors (Basel) 2020 Mar 16;20(6):s20061656 [FREE Full text] [doi: 10.3390/s20061656] [Medline: 32188135]

94. Schäfer J, Malinka K. Security in peer-to-peer networks: empiric model of file diffusion in BitTorrent. In: Proceedngs ofthe Fourth International Conference on Internet Monitoring and Protection. 2009 Presented at: Fourth International Conferenceon Internet Monitoring and Protection; May 24-28, 2009; Venice/Mestre, Italy p. 39-44. [doi: 10.1109/icimp.2009.14]

95. Kamat P, Gite S, Kumar M, Patil S. A critical analysis of P2P communication, security concerns and solutions. Int J ApplEng Res 2014;9:30899-30909 [FREE Full text]

96. Lu C, Li F, Cheng J, Ni B, Li H. Quantitative analysis and countermeasures research of P2P routing attacks. In: Proceedingsof the 2nd International Workshop on Intelligent Systems and Applications. 2010 Presented at: 2nd International Workshopon Intelligent Systems and Applications; May 22-23, 2010; Wuhan, China. [doi: 10.1109/iwisa.2010.5473277]

97. Qi M. P2P network-targeted DDoS attacks. In: Proceedings of the Second International Conference on the Applications ofDigital Information and Web Technologies. 2009 Presented at: Second International Conference on the Applications ofDigital Information and Web Technologies; Aug. 4-6, 2009; London, UK. [doi: 10.1109/icadiwt.2009.5273837]

98. Koo H, Lee Y, Kim K, Roh B, Lee C. A DDoS attack by flooding normal control messages in Kad P2P networks. In:Proceedings of the 14th International Conference on Advanced Communication Technology (ICACT). 2012 Presented at:14th International Conference on Advanced Communication Technology (ICACT); Feb. 19-22, 2012; PyeongChang, Korea(South) p. 19-22 URL: https://ieeexplore.ieee.org/document/6174645

99. Cuevas R, Kryczka M, Cuevas A, Kaune S, Guerrero C, Rejaie R. Is content publishing in BitTorrent altruistic orprofit-driven? In: Proceedings of the 6th International COnference. 2010 Presented at: Co-NEXT '10: Conference onemerging Networking EXperiments and Technologies; Nov. 30 - Dec. 03, 2010; Philadelphia, Pennsylvania p. 1-12. [doi:10.1145/1921168.1921183]

100. Divac-Krnic L, Ackermann R. 31 security-related issues in peer-to-peer networks. In: Peer-to-Peer Systems and Applications.Berlin: Springer; 2005:529-545.

101. Yuan Q, Little A, Kabore M, Kabore Y. A study of index poisoning in peer-to-peer file sharing systems. Int J CybernetInformatics 2014 Dec 31;3(6):11-24. [doi: 10.5121/ijci.2014.3602]

102. Lee Y, Kim K, Roh BH. DDoS attack by file request redirection in Kad P2P network. In: Proceedings of the InternationalConference on Cyber-Enabled Distributed Computing and Knowledge Discovery. 2012 Presented at: International Conferenceon Cyber-Enabled Distributed Computing and Knowledge Discovery; Oct. 10-12, 2012; Sanya, China. [doi:10.1109/cyberc.2012.91]

103. Karame GO, Androulaki E, Capkun S. Double-spending fast payments in bitcoin. In: Proceedings of the 2012 ACMconference on Computer and Communications Security. 2012 Presented at: CCS'12: the ACM Conference on Computerand Communications Security; October 16 - 18, 2012; Raleigh North Carolina USA p. 906-917. [doi:10.1145/2382196.2382292]

104. McConaghy T, Marques R, Müller A. BigchainDB: a scalable blockchain database - Whitepaper. BigChainDB. 2016. URL:https://www.bigchaindb.com/whitepaper/ [accessed 2019-10-04]

105. Touceda DS, Sierra JM, Izquierdo A, Schulzrinne H. Survey of attacks and defenses on P2PSIP communications. IEEECommun Surv Tutorials 2011:00152. [doi: 10.1109/surv.2011.060711.00152]

106. Tselios C, Birkos K, Galiotos P, Kotsopoulos S, Dagiuklas T. Malicious threats and novel security extensions in P2PSIP.In: Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshops. 2012Presented at: IEEE International Conference on Pervasive Computing and Communications Workshops; 19-23 March,2012; Lugano, Switzerland p. 19-23. [doi: 10.1109/percomw.2012.6197612]

107. Kohnen M, Leske M, Rathgeb EP. Conducting and optimizing eclipse attacks in the Kad peer-to-peer network. In: Proceedingsof the International Conference on Research in Networking. 2009 Presented at: International Conference on Research inNetworking; May 11-15, 2009; Aachen, Germany p. 104-116. [doi: 10.1007/978-3-642-01399-7_9]

108. Zou W, Zhang Y, Zhang J, Zhou M, Liu B. Survey of eclipse attacks on DHT networks. Qinghua Daxue Xuebao / J TsinghuaUniv 2011;51(10):1306-1311 [FREE Full text]

109. Aiello LM, Milanesio M, Ruffo G, Schifanella R. An identity-based approach to secure P2P applications with Likir.Peer-to-Peer Netw Appl 2011 Jan 6(4):420-438 [FREE Full text] [doi: 10.1007/s12083-010-0099-6]



XSL•FORenderX

https://www.sciencedirect.com/science/article/pii/S0022000014000178

https://www.sciencedirect.com/science/article/pii/S0022000014000178

http://dx.doi.org/10.1016/j.jcss.2014.02.005

https://www.sonicwall.com/news/dramatic-jump-in-iot-malware-encrypted-threats-web-app-attacks-third-quarter/

https://www.sonicwall.com/news/dramatic-jump-in-iot-malware-encrypted-threats-web-app-attacks-third-quarter/

https://www.semanticscholar.org/paper/Vulnerabilities-of-P2P-Systems-and-a-Critical-Look-Engle-Khan/4f86c19fd5b8147cbc5da222903a8c48e79cf7f8

https://www.semanticscholar.org/paper/Vulnerabilities-of-P2P-Systems-and-a-Critical-Look-Engle-Khan/4f86c19fd5b8147cbc5da222903a8c48e79cf7f8

http://www.mdpi.com/resolver?pii=s20061656

http://dx.doi.org/10.3390/s20061656


http://dx.doi.org/10.1109/icimp.2009.14

https://www.researchgate.net/profile/Shilpa-Gite/publication/273695211_Privacy_Preserving_Auditing_Protocol_Using_Cryptography_for_Cloud_Storage_Systems/links/55a382a108aea517405cf2a8/Privacy-Preserving-Auditing-Protocol-Using-Cryptography-for-Cloud-Storage-Systems.pdf

http://dx.doi.org/10.1109/iwisa.2010.5473277

http://dx.doi.org/10.1109/icadiwt.2009.5273837


http://dx.doi.org/10.1145/1921168.1921183

http://dx.doi.org/10.5121/ijci.2014.3602

http://dx.doi.org/10.1109/cyberc.2012.91

http://dx.doi.org/10.1145/2382196.2382292

https://www.bigchaindb.com/whitepaper/

http://dx.doi.org/10.1109/surv.2011.060711.00152

http://dx.doi.org/10.1109/percomw.2012.6197612

http://dx.doi.org/10.1007/978-3-642-01399-7_9

https://www.researchgate.net/publication/289865717_Survey_of_eclipse_attacks_on_DHT_networks


http://dx.doi.org/10.1007/s12083-010-0099-6



110. Mi W, Qiu X, Zhang C. The analysis of security threats in structured P2P load balancing schemes. In: Proceedings of theInternational Conference on Cloud and Service Computing. 2011 Presented at: International Conference on Cloud andService Computing; Dec. 12-14, 2011; Hong Kong, China. [doi: 10.1109/csc.2011.6138537]

111. Douceur J. The sybil attack. In: Proceedings of the International Workshop on Peer-to-Peer Systems. 2002 Presented at:International Workshop on Peer-to-Peer Systems; March 7-8, 2002; Cambridge, MA, USA p. 251-260. [doi:10.1007/3-540-45748-8_24]

112. Kannengießer N, Lins S, Dehling T, Sunyaev A. Trade-offs between distributed ledger technology characteristics. ACMComput Surv 2020 Jul;53(2):1-37. [doi: 10.1145/3379463]

113. Tran M, Choi I, Moon GJ, Vu AV, Kang MS. A stealthier partitioning attack against bitcoin peer-to-peer network. In:Proceedings of the IEEE Symposium on Security and Privacy (SP). 2020 Presented at: IEEE Symposium on Security andPrivacy (SP); May 18-21, 2020; San Francisco, CA, USA. [doi: 10.1109/sp40000.2020.00027]

114. Heilman E, Kendler A, Zohar A. Eclipse attacks on bitcoin's peer-to-peer network. In: Proceedings of the 24th USENIXSecurity Symposium (USENIX Security 15). 2015 Presented at: 24th USENIX Security Symposium (USENIX Security15); August 12-14, 2015; Washington, D. C URL: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/heilman

115. Vanhoef M, Piessens F. Key reinstallation attacks: forcing nonce reuse in WPA2. In: Proceedings of the 2017 ACM SIGSACConference on Computer and Communications Security. 2017 Presented at: CCS '17: 2017 ACM SIGSAC Conference onComputer and Communications Security; October 30 - November 3, 2017; Dallas Texas USA p. 1313-1328. [doi:10.1145/3133956.3134027]

116. Yoon S, Park S, Park H, Yoo HS. Security analysis of vulnerable Wi-Fi Direct. In: Proceedings of the 8th InternationalConference on Computing and Networking Technology (INC, ICCIS and ICMIC). 2012 Presented at: 8th InternationalConference on Computing and Networking Technology (INC, ICCIS and ICMIC); Aug. 27-29, 2012; Gyeongju, Korea(South) URL: https://ieeexplore.ieee.org/document/6418681

117. Dejmal S, Fern A, Nguyen T. Reinforcement learning for vulnerability assessment in peer-to-peer networks. In: Proceedingsof the Twenty-Third AAAI Conference on Artificial Intelligence, AAAI 2008. 2008 Presented at: Twenty-Third AAAIConference on Artificial Intelligence, AAAI 2008; July 13-17, 2008; Chicago, Illinois, USA p. 1655-1662 URL: https://www.researchgate.net/publication/220269202_Reinforcement_Learning_for_Vulnerability_Assessment_in_Peer-to-Peer_Networks

118. Tong J, Xiong G. A research on the vulnerability in popular P2P protocols. In: Proceedings of the 8th International Conferenceon Communications and Networking in China (CHINACOM). 2013 Presented at: 8th International Conference onCommunications and Networking in China (CHINACOM); Aug. 14-16, 2013; Guilin, China. [doi:10.1109/chinacom.2013.6694630]

119. Kim M, Lima L, Zhao F, Barros J, Medard M, Koetter R, et al. On counteracting Byzantine attacks in network codedpeer-to-peer networks. IEEE J Select Areas Commun 2010 Jun;28(5):692-702. [doi: 10.1109/jsac.2010.100607]

120. Chloe A. U.K. High Court orders ISPs to block the pirate bay. PC Magazine. 2012. URL: https://www.pcmag.com/news/297264/u-k-high-court-orders-isps-to-block-the-pirate-bay [accessed 2018-11-05]

121. Wang C, Wang N, Howarth M, Pavlou G. A dynamic peer-to-peer traffic limiting policy for ISP networks. In: Proceedingsof the IEEE Network Operations and Management Symposium - NOMS 2010. 2010 Presented at: IEEE Network Operationsand Management Symposium - NOMS 2010; April 19-23, 2010; Osaka, Japan URL: https://ieeexplore.ieee.org/document/5488483 [doi: 10.1109/NOMS.2010.5488483]

122. Schulze H, Mochalski K. Internet study 2008/2009. IPoque Report. 2008. URL: https://sites.cs.ucsb.edu/~almeroth/classes/W10.290F/papers/ipoque-internet-study-08-09.pdf [accessed 2018-12-09]

123. Liu Z. Control engineering and information systems. In: Proceedings of the 2014 International Conference on ControlEngineering and Information Systems (ICCEIS 2014). 2014 Presented at: International Conference on Control Engineeringand Information Systems (ICCEIS 2014); June 20-22, 2014; Yueyang, Hunan, China p. 1-1052. [doi: 10.1201/b17732]

124. Good N, Krekelberg A. Usability and privacy: a study of Kazaa P2P file-sharing. In: Proceedings of the SIGCHI Conferenceon Human Factors in Computing Systems. 2003 Presented at: CHI03: Human Factors in Computing Systems; April 5 - 10,2003; Ft. Lauderdale Florida p. 137-144. [doi: 10.1145/642611.642636]

125. Johnson ME. Data hemorrhages in the health-care sector. In: Proceedings of the International Conference on FinancialCryptography and Data Security. 2009 Presented at: International Conference on Financial Cryptography and Data Security;February 23-26, 2009; Accra Beach, Barbados p. 71-89. [doi: 10.1007/978-3-642-03549-4_5]

126. Le FF, Handurukande S, Handurukande AM, Massoulié LA. Clustering in peer-to-peer file sharing workloads. In: Peer-to-PeerSystems III. Berlin: Springer; 2005:217-226.

127. File sharing landscape 2017: where did peer-to-peer network users share which files during 2017-2018. TECXIPIO Magazine.URL: https://www.tecxipio.com/single-post/file-sharing-in-peer-to-peer-networks-2017 [accessed 2018-12-06]

128. Casadesus-Masanell R, Hervas-Drane A. Competing against online sharing. Manag Deci 2010 Sep 07;48(8):1247-1260[FREE Full text] [doi: 10.1108/00251741011076771]

129. Abdullahi IY, Abdullahi B, Adeshina SA. Towards a framework of configuring and evaluating Modsecurity WAF onTomcat and Apache web servers. In: Proceedings of the 15th International Conference on Electronics, Computer and



XSL•FORenderX

http://dx.doi.org/10.1109/csc.2011.6138537

http://dx.doi.org/10.1007/3-540-45748-8_24

http://dx.doi.org/10.1145/3379463

http://dx.doi.org/10.1109/sp40000.2020.00027

https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/heilman

https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/heilman

http://dx.doi.org/10.1145/3133956.3134027


https://www.researchgate.net/publication/220269202_Reinforcement_Learning_for_Vulnerability_Assessment_in_Peer-to-Peer_Networks



http://dx.doi.org/10.1109/chinacom.2013.6694630

http://dx.doi.org/10.1109/jsac.2010.100607

https://www.pcmag.com/news/297264/u-k-high-court-orders-isps-to-block-the-pirate-bay

https://www.pcmag.com/news/297264/u-k-high-court-orders-isps-to-block-the-pirate-bay



http://dx.doi.org/10.1109/NOMS.2010.5488483

https://sites.cs.ucsb.edu/~almeroth/classes/W10.290F/papers/ipoque-internet-study-08-09.pdf

https://sites.cs.ucsb.edu/~almeroth/classes/W10.290F/papers/ipoque-internet-study-08-09.pdf

http://dx.doi.org/10.1201/b17732

http://dx.doi.org/10.1145/642611.642636

http://dx.doi.org/10.1007/978-3-642-03549-4_5

https://www.tecxipio.com/single-post/file-sharing-in-peer-to-peer-networks-2017

https://www.emerald.com/insight/content/doi/10.1108/00251741011076771/full/html

http://dx.doi.org/10.1108/00251741011076771



Computation (ICECCO). 2019 Presented at: 15th International Conference on Electronics, Computer and Computation(ICECCO); Dec. 10-12, 2019; Abuja, Nigeria. [doi: 10.1109/icecco48375.2019.9043209]

130. Associated Press. German hospital hacked, patient taken to another city dies. Security Week. 2020. URL: https://www.securityweek.com/german-hospital-hacked-patient-taken-another-city-dies [accessed 2020-12-12]

131. Caporusso N, Chea S, Abukhaled R. A game-theoretical model of ransomware. In: Proceedings of the InternationalConference on Applied Human Factors and Ergonomics. 2018 Presented at: International Conference on Applied HumanFactors and Ergonomics; July 21-25, 2018; Orlando, FL, USA. [doi: 10.1007/978-3-319-94782-2_7]

132. Matthew F. WannaCry cyber-attack cost the NHS £92m as 19,000 appointments cancelled. The Telegraph. 2018. URL:https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/[accessed 2019-10-05]

133. Mohurle S, Patil M. A brief study of WannaCry threat: ransomware attack 2017. Int J Adv Res Comput Sci 2017;8(5):4021[FREE Full text] [doi: 10.26483/ijarcs.v8i5.4021]

134. Ransomware attacks grew by 118%, new ransomware families were detected, and threat actors used innovative techniques.McAfee Labs Threats Report. 2019. URL: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf [accessed 2019-10-05]

135. Handler D, Hauge L, Spognardi A, Dragoni N. Security and privacy issues in healthcare monitoring systems: a case study.In: Proceedings of the 10th International Joint Conference on Biomedical Engineering Systems and Technologies. 2017Presented at: 10th International Joint Conference on Biomedical Engineering Systems and Technologies; February 21-23,2017; Porto, Portugal. [doi: 10.5220/0006224603830388]

136. Martin T, Karopoulos G, Hernández-Ramos JL, Kambourakis G, Nai Fovino I. Demystifying COVID-19 digital contacttracing: a survey on frameworks and mobile apps. Wireless Commun Mobile Comput 2020 Oct 17;2020:1-29. [doi:10.1155/2020/8851429]

137. Zeidler HM. This application is a continuation in part of U.S. application ser. no. 278,001 filed June 24, and now U.S. pat.no. 4,423,287, issued Dec. 27. End-to-end Encryption System and Method of Operation. 1981. URL: https://patents.google.com/patent/US4578530A/en [accessed 2020-07-03]

138. Rösler P, Mainka C, Schwenk J. More is less: on the end-to-end security of group chats in Signal, WhatsApp, Threema.In: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). 2018 Presented at: IEEE EuropeanSymposium on Security and Privacy (EuroS&P); April 24-26, 2018; London, UK p. 415-429. [doi:10.1109/eurosp.2018.00036]

139. Cohn-Gordon K, Cremers C, Dowling B, Garratt L, Stebila D. A formal security analysis of the Signal messaging protocol.In: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). 2017 Presented at: IEEE EuropeanSymposium on Security and Privacy (EuroS&P); April 26-28, 2017; Paris, France. [doi: 10.1109/eurosp.2017.27]

140. Zhao Z, Liu Y, Li H, Yang Y. An efficient user-to-user authentication scheme in peer-to-peer system. In: Proceedings ofthe First International Conference on Intelligent Networks and Intelligent Systems. 2008 Presented at: First InternationalConference on Intelligent Networks and Intelligent Systems; Nov. 1-3, 2008; Wuhan, China. [doi: 10.1109/icinis.2008.142]

141. Dehling T, Sunyaev A. Information security and privacy of patient-centered health IT services: what needs to be done? In:Proceedings of the 47th Hawaii International Conference on System Sciences. 2014 Presented at: 47th Hawaii InternationalConference on System Sciences; Jan. 6-9, 2014; Waikoloa, HI, USA p. 2984-2993. [doi: 10.1109/hicss.2014.371]

142. Levine BN, Shields C, Margolin NB. A survey of solutions to the sybil attack. University of Massachusetts Amherst,Amherst, MA. 2006. URL: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.6395&rep=rep1&type=pdf[accessed 2018-10-05]

143. Damiani E, di Vimercati DC, Paraboschi S, Samarati P, Violante F. A reputation-based approach for choosing reliableresources in peer-to-peer networks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security.2002 Presented at: CCS02: ACM Conference on Computer and Communications Security; November 18 - 22, 2002;Washington, DC USA p. 207-216. [doi: 10.1145/586110.586138]

144. van Vroonhoven J. Peer to peer security. In: Proceedings of the 4th Twente Student Conference on IT. 2006 Presented at:4th Twente Student Conference on IT; January 30, 2006; Enschede, The Netherlands p. 1-10 URL: http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=D4C9D04083126B780B5BB6CC02E129C7?doi=10.1.1.60.3334&rep=rep1&type=pdf

145. Chaokai H, Meng W. Comparison and analysis of different reputation systems for peer-to-peer networks. In: Proceedingsof the 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE). 2010 Presented at:Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE); Aug. 20-22,2010; Chengdu, China p. 20-23. [doi: 10.1109/icacte.2010.5579838]

146. Banik SM, Pena L. Deploying agents in the network to detect intrusions. In: Proceedings of the IEEE/ACIS 14th InternationalConference on Computer and Information Science (ICIS). 2015 Presented at: IEEE/ACIS 14th International Conferenceon Computer and Information Science (ICIS); June 28 - July 1, 2015; Las Vegas, NV, USA p. 83-87. [doi:10.1109/icis.2015.7166574]

147. Sharma O, Girolami M, Sventek J. Detecting worm variants using machine learning. In: Proceedings of the InternationalSymposium on Electronic Commerce and Security. 2008 Presented at: ACM Conference on Emerging Network Experiment



XSL•FORenderX

http://dx.doi.org/10.1109/icecco48375.2019.9043209

https://www.securityweek.com/german-hospital-hacked-patient-taken-another-city-dies

https://www.securityweek.com/german-hospital-hacked-patient-taken-another-city-dies

http://dx.doi.org/10.1007/978-3-319-94782-2_7

https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/

http://www.ijarcs.info/index.php/Ijarcs/article/view/4021

http://dx.doi.org/10.26483/ijarcs.v8i5.4021

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf

http://dx.doi.org/10.5220/0006224603830388

http://dx.doi.org/10.1155/2020/8851429

https://patents.google.com/patent/US4578530A/en

https://patents.google.com/patent/US4578530A/en

http://dx.doi.org/10.1109/eurosp.2018.00036

http://dx.doi.org/10.1109/eurosp.2017.27

http://dx.doi.org/10.1109/icinis.2008.142


https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.6395&rep=rep1&type=pdf

http://dx.doi.org/10.1145/586110.586138

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=D4C9D04083126B780B5BB6CC02E129C7?doi=10.1.1.60.3334&rep=rep1&type=pdf

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=D4C9D04083126B780B5BB6CC02E129C7?doi=10.1.1.60.3334&rep=rep1&type=pdf

http://dx.doi.org/10.1109/icacte.2010.5579838

http://dx.doi.org/10.1109/icis.2015.7166574



and Technology, CoNEXT 2007; December 10-13, 2007; New York, USA p. 1-12 URL: https://doi.org/10.1145/1364654.1364657 [doi: 10.1145/1364654.1364657]

148. Jain C, Saxena AK. General study of mobile agent based Intrusion Detection System (IDS). J Comput Commun2016;04(04):93-98 [FREE Full text] [doi: 10.4236/jcc.2016.44008]

149. Shah B, Trivedi BH. Improving performance of mobile agent-based intrusion detection system. In: Proceedings of the FifthInternational Conference on Advanced Computing & Communication Technologies. 2015 Presented at: Fifth InternationalConference on Advanced Computing & Communication Technologies; Feb. 21-22, 2015; Haryana, India. [doi:10.1109/acct.2015.118]

150. Zhou CV, Karunasekera S, Leckie C. A peer-to-peer collaborative intrusion detection system. In: Proceedings of the 13thIEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conference onCommunications. 2005 Presented at: 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE7th Malaysia International Conference on Communications; Nov. 16-18, 2005; Kuala Lumpur, Malaysia. [doi:10.1109/icon.2005.1635451]

151. Hosszú G, Czirkos Z. Network-based intrusion detection. In: Encyclopedia of Internet Technologies and Applications.Hershey, Pennsylvania: IGI Global; 2008:353-359.

152. Graham S, Fu X, Lu B. Network security fundamentals. In: Wiley Encyclopedia of Computer Science and Engineering.Hoboken, New Jersey, United States: John Wiley & Sons; 2008.

153. Mead N, Bower P. Patient-centredness: a conceptual framework and review of the empirical literature. Soc Sci Med 2000Oct;51(7):1087-1110. [doi: 10.1016/s0277-9536(00)00098-8] [Medline: 11005395]

154. Woods SS, Schwartz E, Tuepker A, Press NA, Nazi KM, Turvey CL, et al. Patient experiences with full electronic accessto health records and clinical notes through the My HealtheVet Personal Health Record Pilot: qualitative study. J MedInternet Res 2013;15(3):e65 [FREE Full text] [doi: 10.2196/jmir.2356] [Medline: 23535584]

155. Morana M. How to start a software security initiative within your organization: a maturity based, and metrics drivenapproach. The OWASP Foundation. 2009. URL: https://www.owasp.org/images/c/c4/OWASP-ItalyDayEGov09_04_Morana.pdf [accessed 2018-11-02]

AbbreviationsCIA: confidentiality, integrity, availabilityCVSS: Common Vulnerability Scoring SystemDDoS: distributed denial-of-serviceDHT: Distributed Hash TablesDLT: distributed ledger technologyDoS: denial-of-serviceGDPR: General Data Protection RegulationHIPAA: Health Insurance Portability and Accountability ActHTI: health care technology infrastructureIAS: identity authentication schemesIDS: intrusion detection systemsIHE: integrating health care enterpriseISP: internet service providerMitM: man-in-the-middleP2P: peer-to-peerPEPP-PT: Pan-European Privacy-Preserving-Proximity-TracingPHS: patient-centered health care information systemPRS: pure random scanTCP: transmission control protocolTRM: trust and reputation model

Edited by G Eysenbach; submitted 21.09.20; peer-reviewed by H Kondylakis, C Friedrich, C Fitte, F Teuteberg; comments to author26.11.20; revised version received 20.05.21; accepted 02.08.21; published 15.11.21

Please cite as:Abdullahi Yari I, Dehling T, Kluge F, Geck J, Sunyaev A, Eskofier BSecurity Engineering of Patient-Centered Health Care Information Systems in Peer-to-Peer Environments: Systematic ReviewJ Med Internet Res 2021;23(11):e24460URL: https://www.jmir.org/2021/11/e24460doi: 10.2196/24460PMID:



XSL•FORenderX

https://doi.org/10.1145/1364654.1364657

https://doi.org/10.1145/1364654.1364657

http://dx.doi.org/10.1145/1364654.1364657

https://www.scirp.org/journal/paperabs.aspx?paperid=65473

http://dx.doi.org/10.4236/jcc.2016.44008

http://dx.doi.org/10.1109/acct.2015.118

http://dx.doi.org/10.1109/icon.2005.1635451

http://dx.doi.org/10.1016/s0277-9536(00)00098-8


http://www.jmir.org/2013/3/e65



https://www.owasp.org/images/c/c4/OWASP-ItalyDayEGov09_04_Morana.pdf

https://www.owasp.org/images/c/c4/OWASP-ItalyDayEGov09_04_Morana.pdf

https://www.jmir.org/2021/11/e24460

http://dx.doi.org/10.2196/24460

http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&list_uids=&dopt=Abstract



©Imrana Abdullahi Yari, Tobias Dehling, Felix Kluge, Juergen Geck, Ali Sunyaev, Bjoern Eskofier. Originally published in theJournal of Medical Internet Research (https://www.jmir.org), 15.11.2021. This is an open-access article distributed under theterms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricteduse, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical InternetResearch, is properly cited. The complete bibliographic information, a link to the original publication on https://www.jmir.org/,as well as this copyright and license information must be included.



XSL•FORenderX



Security Engineering of Patient-Centered Health Care ...

Documents

Transcript of Security Engineering of Patient-Centered Health Care ...